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Introduction 



NOTE: For ease of 
reading, all models are 
referred to as the SA8220 
throughout this 
document. Unless noted 
otherwise, all SA8220 
references refer to all 
models. 



This chapter covers the following topics: 

• Introduction to the Traffic Director Server Appliances 

• Assumptions 

• Benefits 

• Specifications 

• Typographic Conventions 
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Introduction to the Traffic Director Server 
Appliances 

The HP e-Commerce Traffic Director Server Appliance SA8200/ 
SA8220s and the HP Traffic Director Server Appliance SA7200/ 
SA7220s provide reliable load balancing, failover, and policy-based 
management to Web sites, Intranets, and e-Commerce sites. These 
models also include intelligent content routing, and are the best load 
balancing solution available for the reasons shown below. 



Feature 


DescriDtion 


Reliability 


The SA8220 provides 7 x 24 uptime through failover systems and 




the inherent robustness of leading network protocols. 


Fault Resistance 


The SA8220-managed configurations offer many features and 




capabilities that improve the availability and reliability of server- 




based services. 


Policy-based 


The SA8220 allows system administrators to implement classes of 


Management 


service, assign priority levels, and set target response times. 


Intelligent Content 


The SA8220 takes application-aware routing to a new level with 


Routing (SA8200/ 


the ability to segment Internet content according to the requested 


SA8220 only) 


URL. 


Error Recovery 


Application intelligence allows the SA8220 to understand and 




correct application errors transparently to the end user. 


Secure Sockets Layer 


The SA8220 can offload encrypted web traffic (HTTPS) providing 


Acceleration (SA8200/ 


a significant performance improvement over web server based 


SA8220 only) 


Secure Sockets Layer (SSL) processing. 



2 



CHAPTER 1 



Assumptions 



Assumptions 

This User Guide assumes that you are a network administrator and 
that you have at least a basic understanding of the following: 

• Networking concepts and terminology 

• Network topologies 

• Networks and IP routing 



Benefits 

SA8220 benefits are listed below. 



Benefit Description 

Substantial performance The SA8220 can increase the speed, scalability, and reliability of 
boost and reliability for multi-server e-Commerce sites. It regains the speed lost by servers 
e-Commerce processing secure transactions by delivering faster SSL 

(SA8200/SA8220 only) processing. It integrates SSL processing with third generation 

traffic management technology, eliminating errors and improving 
Quality of Service (QoS). This unique capability ensures that 
customers working with sensitive information or buying online 
receive timely responses, do not see error messages, and are 
confident that delivery of their information is kept private. 

E-Commerce sites suffer dramatic performance degradation as 
secure transactions increase. Using patent-pending technology to 
perform cryptographic processing offloaded from the server, the 
SA8220 (only) can support up to 1200 SSL connections per 
second. 

The SA8220 enables e-Commerce sites to transact secure business 
and deliver sensitive information quickly, and confidentially. It 
performs all key management and encryption. The result is a 
tremendous performance boost for heavily trafficked e-Commerce 
sites. 



Up to 150 times SSL 
acceleration 
(SA8200/SA8220 only) 
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Benefit 



Description 



Substantial economic 
benefits 

(SA8200/SA8220 only) 



SSL acceleration and 
intelligent traffic 
management benefits 
(SA8200/SA8220 only) 



The SA8220 improves customer satisfaction by improving the 
response time for secure transactions. E-Commerce sites can now 
enjoy the benefits provided by having secure transactions 
participate in layer 7 intelligent traffic management. This creates 
substantial economic savings for e-Commerce sites through 
improved customer satisfaction, lower cost of ownership, and 
reduced server provisioning requirements. 

Performance degrades dramatically as more customers access a 
site in secure SSL mode, frustrating to the very customers who are 
trying to make a purchase. The SA8220 is essential to providing 
high performance and superior levels of service when building 
reliable, scalable, and secure e-Commerce sites. 

Off-loading SSL handling from e-Commerce servers improves 
overall site performance and customer response time 

Accelerated SSL processing eliminates over-provisioning capacity 

Lower processing demands on the server creates greater capacity 
for your e-Commerce site 

Drop-in installation avoids impacting your mission critical e- 
Commerce servers 

Response-time based prioritized service for secure transactions 

Improved responsiveness, reliability, and QoS for secure 
transactions means delivering the highest levels of support for 
paying customers 

Ensures that e-Commerce merchants are always open for business 
by preventing "Server Too Busy" and "File Not Found" errors, 
even for secure transactions 



4 



CHAPTER 1 



Benefits 



Benefit Description 

Intelligent content The SA8220 incorporates intelligent traffic management for secure 

routing for SSL transactions, dramatically improving an e-Commerce site's 

transactions responsiveness, reliability, and QoS. While typical traffic 

(SA8200/SA8220 only) management devices make decisions based only on information at 

Layer 4 in the network stack, the SA8220 combines Layer 4 
through 7 (application/content) awareness to speed up response 
times and eliminate error messages for secure transactions. It 
keeps e-Commerce sites open for business, even during back-end 
transaction problems or content glitches. 

Intelligent session The SA8220 provides Intelligent Session Recovery technology for 

recovery for transactions. By monitoring content within the response sent back 

transactions by the server, Intelligent Session Recovery detects HTTP 400, 

(all models except the 500, or 600 series errors, transparently rolls back the session, and 
SA7200) redirects the transaction to another server until the request is 

fulfilled. 

Response-time base The SA8220 enables system administrators to implement varying 
prioritized service for classes of service, assign priority levels, and set target response 
secure transactions times for secure transactions. The SA8220 continually measures 

the response times of each class of service group and assigns 
incoming requests to the server that can fulfill those requests 
within the predefined response time. If the response time exceeds 
the predefined threshold, requests designated as high priority 
receive preference over those of lower priority. The SA8220 
allows you to offer predictable performance for high-priority 
secure requests. 
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Specifications 

SA8220 specifications are listed below. 



Specification 


Description 


SA7200 


SA7220 


SA8200/ 
SA8220 


^on/pre 

OtM VCl O 

supported 


/\iiy vveu sei vei ^/\paciie, iviiciosoil, 
Netscape, etc.) 


y 


Y 
w 


Y 




Any operating system (UNIX*, Solaris*, 
Windows NT*, BSD*/BSDI*, AIX*, 
etc.) 


X 


X 


X 




A 11 /riT T X T T IT1 TT* "» jf" 

Any server hardware (SUN, HP, IBM, 
Compaq, SGI, Intel-based platforms, 
etc.) 


X 


X 


X 




No practical limit on number of servers 


X 


X 


X 


System 

Administration 


Command line interface 


X 


X 


X 


Web-based GUI 


X 


X 


X 




SNMP monitoring (MIB II and Private 
MIB) 


X 


X 


X 




Dynamic configuration through 
password-protected serial console, 
telnet, SSHvl, and SSH v2 


X 


X 


X 
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Specification 


Description 


SA7200 


SA7220 


SA8200/ 
SA8220 


Performance 


SA8220 is rated up to 1200 HTTPS 
connections/sec, 2500 RICH HTTP 
connections/sec, 3500 HOT connections/ 
sec, 95 Mb/sec. 

SA8200 is rated up to 600 HTTPS 
connections/sec, 1300 RICH HTTP 
connections/sec, 2800 HOT connections/ 
sec. Both the SA8200 and the SA8220 
are rated up to 6600 Max HTTP/ 
HTTPS/sec. 


X 


X 


X 




Layer 7 traffic management 




X 


X 




Patent-pending technology offloads all 
cryptographic processing from server 


X 


X 


X 


Dimensions 


Mounting: Standard 19-inch rack mount 


X 


X 


X 




Height: 3.5 inches (8.9 cm) 


X 


X 


X 




Width: 17 inches (43.2 cm) 


X 


X 


X 




Depth: 20.16 inches (51.21 cm) for the 
SA7200, SA7220, and SA8220 
Depth: 23.75 inches (60.3 cm) for the 
SA8200 


X 


X 


X 


Weight 


24 pounds (10.89 kg) 


X 


X 


X 


Interface 
Connections 


Dual 10/100 Ethernet 


X 


X 


X 


TTY Serial - console 


X 


X 


X 




Failover port 


X 


X 


X 


Transparent 
Operation 


Supports single or multiple Virtual IP 
(VIP) addresses per domain 


X 


X 


X 


Priority Classes 


Application/protocol types supported: 
Any TCP Port, e.g., HTTP, HTTPS, FTP 


X 


X 


X 
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Specification 


Description 


SA7200 


SA7220 


SA8200/ 
SA8220 


Intelligent 
Content Routing 


Content: URL, file types such as *.GIF, 
file paths such as \ads\, file names such 
as Index.html 




X 


X 




Transactions: Transaction types such as 
*.CGI 




X 


X 


Intelligent 

Session 

Recovery 

(HTTPS is 

available on the 

SA8200/SA8220 

only) 


Automatically resubmits requests 




X 


X 


Traps 400, 500, and 600 series errors for 
HTTP and HTTPS 




X 


X 


Response-time 

UdbcU rllUllly 

for secure and 


Sets and enacts target response times 




X 


X 


non-secure 
transactions) 


Real-time performance monitoring 




X 


X 




Automatic server weighting and tuning 




X 


X 




Server-state aware ("sticky") based on: 










- Source IP 


X 


X 


X 




- SSL session ID 






X 




- HTTP cookie 




X 


X 


System Fault 
Tolerance 


Single site, single or multiple 
connections 


X 


X 


X 




Automatic detection of status change 
and health of servers 


X 


X 


X 




Intelligent Resource Verification (IRV) 


X 


X 


X 
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Specification 


Description 


SA7200 SA7220 


SA8200/ 
SA8220 


Security 
Features 
Supported 


SSL v2 and v3 for transaction security 


X 


X 


SSH for secure Command Line Interface 


X 


X 




IP filtering 


X 


X 




Serial port logon 


X 


X 



Typographic Conventions 

The following typographic conventions are used throughout this 
manual. 

ONE MODEL NUMBER (SA8220): For ease of reading, all models 
are referred to as the SA8220 throughout this document. Unless 
noted otherwise, all SA8220 references refer to all models. 

NOTES clarify a point, emphasize vital information, or describe 
options, alternatives, or shortcuts. 

CAUTIONS are designed to prevent possible mistakes that could 
result in injury or equipment damage. 

WARNINGS alert you to potential hazards to life or limb. Except for 
tables, warnings are always found in the left margin. 

NUMBERED LISTS indicate step-by-step procedures that you must 
follow in numeric order, as shown below: 

1. This is the first step. 

2. This is the second step. 

3. This is the third step, etc. 

BULLETED LISTS indicate options or features available to you, as 
shown below: 

• The first feature or option 

• The second feature or option 

• The third feature or option, etc. 

ITALICS are used for emphasis or to indicate onscreen controls, as 
shown in this example: 



NOTE: This is an 
example of a note. 

CAUTION: This is an 
example of a caution. 
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4. To edit the configuration settings, press the Configure tab. 
COMMANDS are shown in the following ways: 

• Any command or command response text that appears on the 
terminal is presented in the courier font. 

• Any text that you need to type at the command line appears in 
bold courier, for example: 

HP SA8220/conf ig/policygroup#create gold 

• Angled brackets (< >) designate where you enter variable 
parameters 

• Straight brackets ([ ]) show parameter choices, separated by 
vertical bars 

• Braces ({ }) show optional commands and parameters 

• VERTICAL BARS ( I ) separate the choices of input parameters 
within straight brackets. You can choose only one of the set of 
choices separated by vertical bars. Do not include the vertical 
bar in the command. 



10 



2 



Theory of 
Operations 



NOTE: For ease of 
reading, all models are 
referred to as the SA8220 
throughout this 
document. Unless noted 
otherwise, all SA8220 
references refer to all 
models. Also, all 
references to "RICH" 
functionality or 
"Expressions " in this 
chapter do not apply to 
theSA7200. 



This chapter covers the following topics: 

• Services 

• FTP Limitations 

• Sticky Options 

• SSL Acceleration (SA8200/SA8220 only) 

• Load Balancing Across Multiple Servers 

• Server Configuration Options 

• Routing with Dual Interfaces 

• Prioritization and Policy Groups 

• Error Detection 



Serial Cable Failover 
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General Operating Principles 

This chapter discusses the general operating principles for the HP e- 
Commerce Traffic Director Server Appliance S A8200/SA8220s, and 
the Traffic Director Server Appliance SA7200/S A7220s. For details 
about the SA8220 command set, please see "Command Line 
Interface" in Chapter 5. For information about completing specific 
tasks, please see "Scenarios" in Chapter 6. 



Services 



Services are the virtual resources that the SA8220 provides to 
network clients. Services are defined by their Virtual Internet 
Protocol (VIP) address and virtual port number. The SA8220 load 
balances network client requests for a service by receiving requests 
from the user and directing them for fulfillment to the most 
appropriate resource in the provider's server farm. Services are 
defined and created within Policy Groups (please see "Prioritization 
and Policy Groups in Chapter 2) and are managed using the following 
commands: 



NOTE: The sample 
commands used in this 
chapter are meant as 
examples only. 



config policygroup <policy-name> service create 
<service-name> 

vip <ipaddr> port <number> {type [TCP | UDP 
RICH_HTTP] } {sticky [disable | src-ip 
cookie]} {sticky-timeout <seconds>} {backups 
[enable | disable]} {response <milli-sec>} 
{priority <level>} {balancing [load | robin] } 
{server-timeout <seconds>} 
config policygroup <name> service delete [<name> 
-all] 

config policygroup <name> service <name> 

{ enable }{ disable } {balancing [robin | load]} 
{sticky [disable | src-ip | cookie]} 
{sticky-timeout <seconds>} {backups [enable 
disable]} {response <milli-sec>} {dup-syn 
<micro-sec>} {priority <level>} 
{server-timeout <seconds>} 
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Layer 4 (HOT) Services 

HOT services provide very fast brokering performance. HOT 
services are defined in full by their VIP and port number. 

In HOT or "Brokered" mode, the S A8220 performs Network Address 
Translation (NAT) on all incoming packets passing through the 
connection. NAT changes the destination IP address and port of 
incoming packets to those of the selected fulfillment server. The 
source IP address is modified to be that of the SA8220. 

Fulfillment servers can be addressable by IP address, and thus can be 
on either local or wide area networks. 

By default in HOT mode, the fulfillment server sees all requests as 
coming from the SA8220 rather than from the actual client. In some 
environments, it may be desirable to have the fulfillment server see 
the requests as if they were coming directly from the client. The 
Source Address Preservation (SAP) mode of the SA8220 allows this 
to happen (see "Source Address Preservation" for more detailed 
information). 

Layer 7 (RICH) Services (all models except the 
SA7200) 

The S A8220 allows more flexible service fulfillment for RICH (Real- 
time Intelligent Content Handling) services. The service type 
"RICH_HTTP" is available on the SA8220 and enables it to make 
fulfillment decisions based on the content of the URL of each client 
HTTP request. RICH services also include advanced error detection, 
and automatic resubmission of HTTP requests under most error 
conditions. 

As with HOT services above, fulfillment servers can be addressable 
by IP address, and thus can be on either local or wide area networks. 
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Out-of-Path Return (OPR) 

Ordinarily, the SA8220 processes all traffic in both directions 
between clients and the server farm. Viewing the server return traffic 
helps the SA8220 accurately determine server response times and 
handle HTTP errors. Often, the volume of data sent from the server 
to the client is much larger than the traffic from client to server, and 
checking for HTTP errors is not required. In such situations, you can 
use OPR mode to increase performance. OPR is enabled by typing the 
following command: 



NOTE: OPR is not 

applicable to Layer 7 
services. 



config policygroup <name> service <name> server 
<name> port <port> mode [opr] 

Each server for which OPR is enabled must have its loopback 
interface configured to identify itself as the VIP of the brokered 
service. This allows the server to respond directly to the client. The 
server's loopback interface, or an equivalent interface that will not 
respond to ARP requests, must be configured before setting up the 
SA8220 for OPR. For more information, please see "Configuring 
Out-of-Path Return in Appendix D. 



FTP 

Limitations 



The table below lists those limitations of FTP on the S A8200. 



Mode 


Active FTP 


Passive FTP 


HOT 


No 


Yes 


HOT with SAP 


Yes 


Yes (see below) 


OPR 


No 


No 



HOT with SAP does not change the server's IP address during Passive 
FTP because the server is making the connection directly to the client, 
using its real IP address. If the server's IP address is not a "real" IP 
address, this mode will not work. 
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Sticky Options 



Some services operate best if all requests from a specific client during 
a single session are directed to the same fulfillment server. For 
example, if the server maintains a local database of client activity or 
context (shopping cart, registration info, navigation history, etc.), it is 
important that subsequent client requests go to the server with these 
database records. The SA8220's "sticky" options allow this to occur. 

Sticky is available in the two modes shown below. 
Mode Description 

Source IP Requests from a given IP address are directed to a 

address single server. 

("src-ip") 

Cookie The requesting browser is given a cookie, which 
subsequently identifies it as a unique requestor to 
be directed to a single server. This method uniquely 
identifies the client even if the request passes 
through a proxy server. RICH service is required. 



Sticky source IP for SSL uses the SSL session ID for stickiness 
instead of the source IP of the client. 

Both HTTP and HTTPS services can be RICH. However, incoming 
RICH SSL connections will always be decrypted and sent on to the 
fulfillment servers in clear text. Sticky cookie must be used when the 
clients need to remain stuck to the same server between HTTPS and 
HTTP. 

There is no sticky cookie requirement for HTTPS traffic. 

Each brokered service can be configured with sticky cookie, sticky 
IP, or no sticky option enabled. When a sticky option is configured, 
all client requests (identified according to the enabled sticky mode) 
during a session are routed to the same fulfillment server. When the 
sticky option is disabled, the SA8220 determines the best fulfillment 
server for each client request and directs them accordingly. 



Sticky Options 
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NOTE: SA7200 sticky 
support allows for source 
IP ONLY. All cookie 
sticky RICH services will 
be stuck to the same 
server for the duration of 
the sticky timeout value. 



Sticky Persistence 

For source-ip based sticky, the relationship between the client IP 
address and the fulfillment server remains in effect for the entire time 
the SA8220 is online or until the sticky timeout value expires. In the 
event of failover, the sticky relationship is lost. Cookie sticky remains 
in effect while the browser is running or until the sticky timeout value 
expires. Since the browser maintains the cookie, cookie sticky is 
maintained in the event of failover. The system clocks on both 
S A8220s must be synchronized for failover handling to work. You do 
this by enabling NTP (Network Time Protocol) using the Boot 
Monitor. The administrator can control the length of time a server is 
forced to handle serial requests from a single client using the sticky 
timeout value. 

Sticky-timeout 

The current software version for the SA8220 treats the timeout 
differently for cookie versus source-ip sticky. With source-ip sticky, 
the timeout is reset with every connection from the client (so that the 
timeout is effectively an "idle time"). With cookie sticky, the timeout 
starts with the first connection from the client to the server, and never 
gets reset. When the cookie expires, even if actively being used, the 
next connection will be load balanced to a new server. 

We recommend that you set the cookie sticky timeout value to at least 
1 .5 times the maximum amount of time a user will expect to be stuck 
to a server. If you are uncertain of the exact setting, we recommend 
using 43200 seconds (12 hours). 

Server-timeout (SA8200/SA8220 only) 

A server timeout, which causes a change in servers, can appear as a 
cookie sticky state change. The recommended value for server 
timeout is at least 1 .5 times the maximum server response time. 

We recommend that you set the value to 120 seconds. 
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SSL and Sticky (SA8200/SA8220 only) 

SSL (Secure Sockets Layer, or HTTPS)-enabled services can also be 
made sticky by specifying "sticky cookie" or "sticky src-ip" on the 
CLI. For SSL services, sticky cookie behaves exactly as it does for 
ordinary HTTP services. Source IP sticky uses the SSL session ID to 
maintain server context. The server relationship will not survive 
failover. As with sticky cookie, use of the session ID uniquely 
identifies the client even if the request passes through a proxy server. 

Grouping Services 

NOTE: RICH is required The S A8220's sticky capabilities can ensure that all service requests 
for sticky service from the same user are routed to the same server. Enabling sticky 

grouping. cookie on multiple services ensures that requests from the same client 

will be routed to the same fulfillment server for the duration of the 
sticky relationship. Of course the server must be able to fulfill all 
service requests to have a true one-to-one client-server relationship. 

The SA8220 is a powerful addition to any web site desiring high 
security levels. It was specifically created to manage secure traffic 
going to and from critical applications. It handles SSL traffic into and 
out of the customer's environment, as well as providing load 
balancing, fault management, and error recovery. 

The SA8220 includes cryptographic software features and hardware- 
based acceleration. It provides up to 1200 SSL (HTTPS) connections 
per second (S A8220 only), far exceeding the performance of even the 
most powerful web servers on the market today. 

The SA8220 allows users to offload SSL processing from their back 
end servers, and at the same time achieve full-featured traffic 
management. In a SA8220 environment, all encrypted traffic — 
required by e-commerce applications — is handled at the SA8220. 
The interaction between the SA8220 and the servers is done in the 
clear, allowing load balancing and session management. 

SSL processing is enabled by assigning an RSA private key (a public 
encryption key algorithm invented in 1977) and an X.509 certificate 
to a Layer 7 service. The SA8220 Command Line Interface (CLI) 
allows you to create or import keys and certificate when you define a 
service. Once the key and certificate are in place, secure HTTP 
(HTTPS) requests are decrypted and passed on to the web server. The 



SSL 

Acceleration 
(SA8200/ 
SA8220 only) 
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SA8220's dual NIC and packet filtering capabilities can be used to 
isolate the web servers from the Internet, further preventing 
unauthorized access. 

SSL involves an interchange of keys used both to authenticate the 
parties and to provide information to securely encrypt confidential 
data. The keys distributed in this medium are "one way," or 
asymmetric. That is, they can only be used to encrypt confidential 
data, and only the "owner" of the public key can decrypt the data once 
it is encrypted using the public key information. SSL assures the three 
things shown below. 



Benefit 


Description 


Authenticity 


Verifies the identities of the two parties 


Privacy 


None other than the transacting parties can access 




the information being exchanged. 


Integrity 


The message cannot be altered in transit between 




the two parties by a third party without the 




alteration being detected. 



To establish a secure session with a server, the client sends a "hello" 
message to which the server responds with its certificate and an 
encryption methodology. The client then responds with an encrypted 
random challenge, which is used to establish the session keys. This 
method allows two parties to quickly establish each others' identities 
and establish a secure connection. 

Several encryption methods are employed. Common ones are DES, 
3DES, RC2, and RC4. Key size can be varied to determine the level 
of security desired. A longer key is more secure. 

The SA8220 supports all common keys and ciphers, as well as the 
following encryption methods: DES, DES 3, and RC2 & RC4. The 
S A8220 includes a licensed version of the RS A code embedded in the 
security module as well. The device's session management software 
has been certified by prominent security agencies and meets all 
standards for SSL traffic. 

The SA8220 handles all the handshaking, key establishment, and 
bulk encryption for SSL transactions. Essentially, the SA8220 is a 
full-featured, SSL-enabled web server. Traditionally, these functions 



SSL 

Fundamentals 
(SA8200/ 
SA8220 only) 



18 



CHAPTER 2 



SSL Fundamentals (SA8200/SA8220 only) 



are performed either at the server level, by web servers generally 
providing SSL functionality by way of standalone software 
components, or by embedded encryption software. 

The HP methodology places encryption processing on the network 
side, thus eliminating the need for processing on the servers (see the 
figure on the next page). The servers never see any of the SSL 
connection dialogue or the encrypted data. This removes a substantial 
processing load from the servers allowing improved response times 
and greater availability of system resources. 




Client connects to server 
Server responds with certificate 
Client encrypts random key 
Server generates working key 
Session established 



SA8220 





Client connects to SA8220 with ClientHello 
(includes ciphers supported) 

2. SA8220 responds with SSL ServerHello 
(includes selected cipher & session ID) 

3. SA8220 sends certificate for server 

4. Client sends ClientKeyExchange message; 
includes PK (session key) 

5. SA8220 and client send ChangeCipherSpec 
message to indicate readiness 

6. SA8220 and client send "finished" messages; 
includes hash of whole conversation 

7. Encrypted data sent to SA8220, decrypted and 
forwarded to least busy server 

8. Clear response sent to SA8220, encrypted and 
sent to client. 



Basic SSL Operations 
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Application Message Traffic Management 

The SA8220 was developed to perform load balancing in SSL 
environments. The SA8220 allows users to load balance based on 
application content (Layer 7, or RICH mode), as well as server 
address and port (Layer 4, or HOT mode). SSL management is 
handled independently of RICH mode processing. That is, once a 
session is established and the message is decrypted, it is passed to the 
SA8220's RICH processing component. This allows even SSL traffic 
to take full advantage of the features of the device, including error 
recovery and session rollback. 

The SA8220 allows non-encrypted traffic to be processed 
independently of SSL traffic. The advantage of this is that it permits 
load balancing (in either HOT or RICH mode) configuration on a per 
virtual IP address, thus allowing you to isolate the impact of the SSL 
processing. Many users tune their sites for maximum performance by 
assigning HOT load balancing to all traffic except SSL. 

One of other advantages of the SA8220 is its ability to recognize SSL 
session IDs. This permits "sticky" (or persistent) sessions to be 
established on a given server. 

HTTPS Redirect 

If desired, you can specify a page to return to the client if a successful 
session cannot be negotiated because the client does not support the 
required cipher suite. The SA8220 accomplishes this by sending an 
HTTP 302 "redirect" message back to the client in the case of a cipher 
negotiation failure. For example: The server supports 128-bit 
encryption, but the client' s software is only capable of 40-bit 
encryption. 

The CLI parameter redirectpage=<URL> allows you to set which 
page the client is redirected to. 

where <URL> is the fully qualified location of the page. For 
example: redirectpage=http : / / www . companyname . com/ 
error . html . 

The default configuration file setting is: redirectpage=none. 
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Fulfillment of each virtual service is load balanced across a number 
of real servers depending on the load balancing algorithm chosen. 
Servers capable of fulfilling requests for a service are identified and 
managed with the following commands: 

config policygroup <name> service <name> server 
delete <name> port <port> 

config policygroup <name> service <name> server 
create <name> port <port> 

Client Authentication 

By default, the SA8200/SA8220 does not authenticate client 
identities; however you can configure services to request client 
certificates for the purpose of verifying identities. When you enable 
this feature, the SA8200/SA8220 verifies that client certificates are 
signed by a known CA. 

Issued client certificates are expected to be in use for their entire 
validity period. The CA periodically issues a signed data structure, 
called a Certificate Revocation List (CRL), containing the serial 
numbers of all expired certificates. You can configure the SA8200/ 
SA8220 to obtain and use a CRL using LDAP, HTTP or FTP 
protocols. The SA8200/SA8220 first verifies a client certificate 
against the installed CA certificate, and then looks up its serial 
number in the installed CRL. If the serial number exists in the CRL, 
then the client connection is terminated. Before the connection is 
closed, the SA8200/SA8220 returns a message to the client indicating 
that the client's certificate was revoked. 
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HTTP Header Option Fields 

Both the SA7220 and the SA8200/SA8220 can make the IP address 
of a requesting client available to a fulfillment server by constructing 
a custom HTTP header option, with the client' s IP as the value: 

HP_SOURCE_IP : <client-IP> 

SSL-related HTTP header option fields are only used by the SA8200/ 
SA8220 with any SSL service. The HP_CIPHER_USED header 
option is used whenever HP_SOURCE_IP is used, to provide the 
name of the SSL-cipher negotiated between the S A8200/SA8220 and 
the client: 

HP_CIPHER_USED : <ssl-cipher> 

These two header fields are used only by the SA8200/SA8220 when 
client authentication is in use: 

HP_CLIENT_CERTIFICATE : <client-certif icate> 
HP_SESSION_ID : <SSL-session-ID> 

Because a client certificate contains information useful for client/user 
authorization, the S A8200/SA8220 inserts the client certificate in the 
request header before sending the request to the server. The server 
can then extract the certificate from the request header and use it for 
authorization or other purposes. 

The client certificate is inserted in the request header only once per 
session. Requests following the initial request will be sent to the 
server with only the SSL-session-id in the header. The SSL-session- 
id is unique for each session and allows the server to work with 
multiple sessions. The client certificate is inserted in the request 
header with a new SSL-session-id only when the client certificate has 
been re-negotiated between theSA8200/SA8220 and the client: 

• New Session/Initial Request:SA8200/SA8220 sends both the 
HP_CLIENT_CERTIFICATE and HP_SESSION_ID header 
options. 

• Existing Session/Subsequent Requests: SA8200/SA8220 sends 
only the HP_SESSION_ID header option. 

The use of header option fields is an efficient way of supplying 
information to the server about the client. To ease the use of this 
important feature, SA7220/S A8200/SA8220 allows customization of 
all the above header option field names. For more information, see 
Chapter 5. 
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Load 

Balancing 
Across 
Multiple 
Servers 



Balancing Algorithms 

The SA8220 provides a choice of load balancing algorithms. Services 
can be separately configured to load balance using a round-robin or a 
response time algorithm. In most networks, the best performance 
results from use of the response time algorithm. Under this algorithm, 
the S A8220 measures the response time of each request to each server 
in the server farm. It then balances requests to the service among the 
servers, sending more requests to the fastest servers and fewer to the 
slower ones, thus optimizing the average response time. 

In cases where Out-of-Path Return (please see "Out-of-Path Return 
(OPR) in Chapter 2) is used in unpredictable WAN environments, 
response time metrics may be obscured by WAN latency variance. In 
these situations, round-robin load balancing can provide equal 
distribution of client requests to each fulfillment server. 

The balancing algorithm is specified with the command: 

config policygroup <name> service <name> 
balancing [robin | load] 



Response-Time Metrics 

For both balancing algorithms, servers can be assigned target 
response times. These values indicate the desired average response 
time for requests for specified services to be fulfilled, and instructs 
the SA8220 to use alternate resources for fulfillment if the average 
response time exceeds target response time. Target response time is 
controlled with the following command: 

config policygroup <name> service <name> 
response <mil-seconds> 

If the servers do not meet the specified response time threshold, 
backup servers, if available and enabled, are activated. In addition, 
the servers providing lower priority services are throttled if the 
response time is still not being met (if throttle is enabled in the 
policygroup). Both mechanisms are available for both of the load- 
balancing algorithms. 
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Primary and Backup Servers 

Each server is identified as either a Primary or Backup for a given 
service. Primary servers are always considered first for request 
fulfillment. By default, Backup servers are considered for use only if 
a primary server goes down, though they can optionally be 
configured for use to maintain target response times. A server's type 
is established with the following command: 

config policygroup <name> service <name> server 
<name> port <port> type [primary | backup] 

Backup servers are enabled to maintain target response times with the 
following command: 

config policygroup <name> service <name> backups 
[enable | disable] 



Server 

Configuration 
Options 



Source Address Preservation 

By default, brokered service requests arriving at a fulfillment server 
appear to the server as requests originating from the SA8220. 
Consequently, server log files record the SA8220 as the source of 
these requests. When Source Address Preservation (SAP) is enabled 
however, the SA8220 preserves the original source addresses of 
requests delivered to the server farm. If you use the log files from 
your server farm to gather information based on client source 
addresses, use Source Address Preservation. SAP is controlled with 
the following command: 

config policygroup <name> service <name> server 
<name> port <port> mode [sap] 



NOTE: FortheSA8220 
to operate in SAP mode, 
the default gateway for 
each SAP-enabled server 
must be set to the 
SA8220's physical IP 
address, not the VIP. 



SAP cannot be used in WAN or multiple router LAN environments. 
To use SAP, each server must be configured so that its default 
gateway is set to the physical IP address of the S A8220, thus there can 
be no routers between the SA8220 and the fulfillment servers. 

Limitations of SAP mode operation are listed below: 

• The client machine cannot be on the same subnet as the SA8220. 

• The SA8220 and server must be on the same subnet. 

When SAP is enabled, serial cable failover is the only failover 
option — routing failover is not available. 
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Multi-hop Source Address Preservation 

It is possible in sophisticated network topologies to require requests 
to pass through two SA8220s. In such configurations, the SA8220 
topologically closest to the clients must be configured with the Multi- 
hop Source Address Preservation (MSAP) feature enabled. 

MSAP allows requests to pass through two cascaded SA8220s in 
different geographical areas. Enabling MSAP ensures that the actual 
IP addresses of requesting clients, rather than the virtual IP address of 
the S A8220 that delivered the request, are recorded in the server logs. 
This is similar to SAP (described in the preceding section), however 
this feature allows SA8220s to be geographically-dispersed, as 
shown in below. 



San Diego 



Boston 



Client 




SA8220 #1 
with MSAP 
Enabled 




SA8220 #2 
with MSAP 
Disabled 




Server 1 


1' 







NOTE: Inmost 
configurations, the 
default setting (MSAP 
disabled) is required. 



MSAP on a Geographically-Dispersed Network 

In the figure above, a client in San Diego sends a request to a 
fulfillment server in Boston. MSAP is enabled on SA8220 Broker 1, 
and Server l's default route is set to SA8220 Broker 2. The SA8220 
Broker 2 doesn't need SAP enabled for this service, since SAP is 
automatically used on MSAP requests from S A8220 Broker 1 . Under 
this configuration, the San Diego client's IP address will be preserved 
in the Boston fulfillment servers' logs. MSAP is enabled at the CLI 
with the following command: 



config policygroup <policy-name> service 
<service-name> server <server-name> 
port < > msap [enable] 



RICH Expressions (not available on the SA7200) 

Layer 7 RICH_HTTP service configurations use rich expressions to 
assign particular classes of URLs to particular servers for fulfillment. 
RICH expressions are used, for example, to distinguish content 
requested by clients performing online transactions, from content 
typically requested by casual browsers. In this way, users performing 
online transactions are given higher priority access to server 
resources (and better response times) than other users. 
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NOTE: The "*" and"!" 
are allowed in 
expressions, but they can 
only exist at the 
beginning or end of the 
expression. Also, a 
positive expression is 
required after a not (!) 
expression, otherwise the 
(!) expression has no 
effect. 



Each server listed for fulfillment of a RICH_HTTP service can be 
configured to serve any number of specific rich expressions. 
Applicable expressions are listed below: 

• File type expressions, such as *.gif, or */index.html 

• Path expressions, such as /home/*, or /home/images/*, or /home/ 
images/a*. 

• Unique file expressions, such as /index.html 

• Wildcard expression, such as *. 

• Negation expressions, such as !*.gif or ! */index.html 
RICH expressions are managed with the following commands: 

config policygroup <name> service <name> server 
<name> port <port> expression create 
<expression>, and 

config policygroup <name> service <name> server 
<name> port <port> expression delete 
<expression> 

Order of Expressions (not available on the 
SA7200) 

When using expressions in Layer 7 (RICH) operations, the order of 
expressions is significant only when the "not" (!) operator is used. 

Expressions are described below. 



Expression 


Yields 


!*.gif;* 


All non-GIF files 


*;!*.gif 


All files, because after specifying "all" (*), the 




!*.gif expression is never reached 


!\html;/home/* 


Matches all requests of the form "/home/*" 




except HTML files 


/home/*;!*.html 


Matches all files of the form "/home/*." The 




!*.html has no effect. 


!/home/* 


No matches 


!/home/*;* 


All matches except ones starting with "/home" 
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Routing with 
Dual Interfaces 



NOTE: TheSA8220 
cannot route multiple 
subnets on one interface. 



Because the S A8220 has two network interfaces, it can act as a router 
in some contexts. This means that it can route between two subnets. 
To do this, you must designate the S A8220 as the default gateway for 
your fulfillment servers. Routes to the inside subnet are not 
advertised to the outside router, but host routes are advertised to the 
VIPs. Packets destined for defined VIPs are always routed through 
the SA8220 to the server-side subnet. Other packets are forwarded 
through the SA8220 only when the security mode is set to OPEN or 
when set to CUSTOM and IP Forwarding is turned on. The SA8220's 
routing capabilities vary depending on which routing and failover 
methods are used. For more details about these variations and their 
relationships to routing and failover configurations, please see 
"Failover Method Dependencies" in Appendix C. 

Terms pertinent to SA8220 routing are listed below. 



Term 


Description 


Network- side 


The SA8220 interface attached to the side of the 


subnet 


physical network on which client requests arrive. 


Server- side 


The SA8220 interface attached to the side of the 


subnet 


physical network that includes the fulfillment 




servers. 


"Outside" 


The router or switch one hop from the SA8220 on 


device 


the brokered subnet 


"Inside" 


The router or switch one hop from the SA8220 on 


device 


the server- side subnet 



The figure below shows an example of the SA8220 routing topology. 



Brokered 
Subnet 



Server-side 
Subnet 



(Router)- 



SA8220 



1 


f 


Hub or 




Switch 



Server 





Server 



'Outside" 
Router 



Inside" Hub 
or Switch 



Server 



SA8220 Routing Topology 
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Prioritization 
and Policy 
Groups 



Policy groups are containers used to organize services. Service 
prioritization uses policy group information to make decisions about 
which services should get more or less server resources. Although the 
assignment of services to policy groups can be arbitrarily determined 
by the operator, effective use requires that each policy group contain 
services related by their shared use of server resources. Services and 
servers are assigned to Policy Groups at their time of creation. 

Policy group management commands are listed below: 

config policygroup create <name> 

config policygroup delete <name> 

config policygroup <name> throttle [enable | 
disable ] 

The policy group framework allows the prioritization of categories of 
client requests. Each service defined in a policy group is assigned a 
priority within that group and a target response time. When the 
average response time of a service exceeds its target response time, 
that service is allocated, on the basis of its priority, a greater share of 
common server resources to attempt to bring response time back 
within the target range (this assumes that the throttling option is 
enabled for the policy group). 



Server 1 
HTTP 



Server 2: 
HTTPS 



Server 3: 
HTTP/HTTPS 




SA8220 



VIP: 10.2.2.4 
HTTPS: 10 ms 
HTTP: 10 ms 



Target Response Time Satisfied 
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For example, the services HTTP and HTTPS are both assigned to a 
single policy group. HTTPS is designated the highest priority service, 
and HTTP the second priority. The SA8220 monitors the response 
time of each service, and if necessary re-prioritizes server resources 
of subordinate services to keep the response time for the highest 
priority service within the specified range. The figure above shows a 
policy group with services sharing a defined VIP, two services, and 
their associated target response times. When the average response 
time of HTTPS is less than or equal to 10ms, Server 1 fulfills HTTP 
requests, Server 2 fulfills HTTPS requests, and Server 3 fulfills both 
HTTP and HTTPS requests. The next figure illustrates server 
utilization after HTTPS response time exceeds 10 ms. 

Server 1 : Server 2: Server 3: 
HTTP HTTPS HTTP 




Target Response Time Exceeded 

Upon noticing a break in the target response time threshold, the 
SA8220 scans the policy group's active service and server pools for 
shared resources. In this example, both the HTTP and HTTPS 
services use Server 3. To provide the greatest server resources for the 
highest priority service, shared resources are eliminated from 
subordinate service pools (although each service will always have at 
least one point of fulfillment.) For example, in the figure above, new 
HTTP connections are no longer sent to Server 3 in an effort to 
guarantee the target response time for HTTPS. Server 3 will again 
serve HTTP when target response times are met. 
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Routing 
Method for VIP 
Addresses 



After setting up the service, you must configure the SA8220 to route 
the VIP address to the Internet. There are two possibilities: 

• In single SA8220 installations, "Standalone" mode is preferred 
as it allows the VIP to be ARP-accessible from the router. 

• If there are multiple address spaces (such as a SA8220 on the 
10.x. x.x network and a VIP on the 209.x.x.x), then a routing 
protocol might be the best method to advertise the VIP. When 
configuring routing on the SA8220, always match the router's 
configuration. The SA8220 can be programmed to use RIP vl, 
RIP v2, or OSPF. 

For example (standalone mode): 

HP SA822 0#config route 

HP SA8220/conf ig/route#info 
Route configuration: 



Broker role: standalone 
RIP Info: 

Active : no 

Version : 2 



OSPF Info: 

Active : 
Area : 

Hello interval: 
Router dead interval: 



no 

backbone 

10 (seconds) 

40 (seconds) 
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Error Th e SA8220 is capable of recognizing and reacting to server error 

— . . . conditions, detecting non-responsive (comatose) servers, and 

UclcUllUI 1 directing traffic to alternate resources until the server is back in 

operation. The SA8220 can also capture many HTTP errors before 
they reach the client, and redirect the request to an alternate server. 



Server Status Detection 

The SA8220 uses multiple means to monitor the status of the 
fulfillment servers. The "Intelligent Resource Verification" (IRV) 
module periodically pings the servers to verify they are alive. The 
SA8220 also monitors a "dup-syn" interval to calculate packet loss 
rate. 

Intelligent Resource Verification 

When the IRV module pings a server and receives no response, it tries 
to connect to each port on which the suspect server is configured to 
listen. If the SA8220 itself does not receive a response from a given 
port, then that server/port combination is declared dead. If the server 
maintains network connectivity and responds positively to IRV 
pings, but ports stop responding, then the dup-syn interval threshold 
(described below) is used to decide if the server is declared dead. 

Dup-syn Interval 

The SA8220 dynamically calculates the threshold for the acceptable 
number of dropped packets within a given interval. If at any time in 
this interval the number of dropped packets exceeds this threshold, 
the server is considered dead. After the specified time value has 
expired the lost packet (or dup-syn) count is divided by two and the 
time interval starts again. In this way, some history information is 
kept between time intervals. 

The dup-syn interval for this threshold is established with the dup- 
syn CLI command, and ranges in value from 1000 to 2,147,483,647 
microseconds. The default time interval value is 500,000 
microseconds (one half second), which is appropriate for most 
environments. By lowering or raising this value, you render the 
SA8220 respectively less or more sensitive to dropped packets, and 
less or more likely to declare a server dead. The volume of network 
traffic must be taken into account when setting the dup-syn interval. 
Higher volumes of traffic require a shorter dup-syn interval to avoid 
mistakenly declaring a server dead due to network congestion. 
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The dup-syn command uses the following syntax: 

config policygroup <name> service <name> 
dup-syn <micro-seconds> 



HTTP Error Detection 

NOTE: This section The SA8220 offers HTTP error detection for RICH services. When 

applies to all models HTTP error detection is enabled, the SA8220 scans the headers of 

except the SA7200. server responses for errors. If an HTTP error is found, the original 

request is rerouted to another server for fulfillment, transparently to 
the client. This process continues until a server responds without an 
error, or all applicable servers have been tried. Conversely, if HTTP 
error detection is disabled, the error is returned directly to the client. 
HTTP error detection for errors 401-405 and 500-503 (as defined in 
the HTTP specification) is configured with the command: 

config policygroup <name> service <name> server 
<name> port <port> http [enable | disable] 

The SA8220 extends standard HTTP error handling by allowing the 
server to return a special 606 error code. Detection and handling of 
606 errors is separately configurable. In this way, standard errors may 
be passed to the client while 606 errors are handled transparently by 
the HP system. If 606 error handling is enabled, the S A8220 scans the 
returned HTTP header for an HTTP 606 response code. If the 606 
response code is found and another server is available to handle the 
request, it is sent automatically. This process continues until a server 
responds without an error, or until all applicable servers have been 
tried. 

The HTTP header for 606 handling is of the form: "HTTP/1.0 606 
Error." Users can generate this response through a variety of methods 
including CGI and nph scripts. Consult your web server 
documentation for information about generating custom error 
messages. 

config policygroup <name> service <name> server 
<name> port <port> 606 [enable | disable] 
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Serial Cable Failover 



Serial Cable 
Failover 



NOTE: DHCP is not 

available when serial 
cable failover is enabled. 



NOTE: You can log onto 
the Backup SA8220, but 
the full command set is 
not available. 



NOTE: Before 
configuring serial cable 
failover, both the primary 
and backup SA8220s 
must be configured with 
the setup command. 
For more information, 
please see "Setup " in 
Chapter 3. 



The SA8220 offers two failover methods: 

• Router Failover (including OSPF, RIPvl and RIPv2), and 

• Serial Cable Failover 

When serial cable failover is configured, the Primary and Backup 
SA8220s communicate heartbeat, configuration, and status 
information using the included null modem serial cable. The Backup 
S A8220 assumes control from the Primary when any of the following 
occur: 

• The Backup SA8220 does not detect the Primary SA8220's 
heartbeat within the timeout period (the default is 3 seconds). 

• The Primary SA8220's Ethernet interface becomes inactive. For 
example, if the Ethernet cable is disconnected. 

• The Primary SA8220 experiences an internal software error. 

Both the Primary and Backup SA8220s need to know their own 
identity and the "Online Identity" by address and name to satisfy 
internal communication parameters. The SA8220s' own names and 
the shared online identity are automatically entered into their host 
files during failover configuration. If Dual NIC is enabled, the 
identities for both the Outside (network-side) and Inside (server-side) 
NICs are shared. 

For information on failover method dependencies, see Appendix C. 

Serial Cable Failover Configuration 

The following procedures are used to configure the Primary and 
Secondary SA8220s for serial cable failover operation. 

Configure the Primary SA8220 

1. Connect the two SA8220s using their failover ports using the 
provided null modem serial cable. 

2. Reboot the SA8220 that will be the Primary and press a key at 
the prompt to enter the Boot Monitor. 

3. At the prompt, type the following command: 



moni t or > failover 
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NOTE: The Online IP 
Address is the address 
used by the SA8220 that is 
currently accepting 
remote administration 
connections — this can be 
either the Primary or the 
Backup SA8220 ( though 
it is typically the 
Primary). The Online IP 
Address is the address by 
which you can access the 
Online SA8220 using 
telnet for administration. 



4. Follow the prompts as illustrated below (for single NIC 
operation): 

Specify failover method (disabled, serial, 

route) : [disabled] >serial 

Checking for failover unit... 

Failover unit not detected or may not be 

configured . 

Is this machine Primary or Backup? [Primary] 
Enter the Network's ONline IP Address 

>10. 6.3.200 

Enter the Network' s Online hostname 

>netonline 

Serial failover successfully configured 



If Dual NIC operation is enabled, failover configuration looks 
like the example shown below: 

moni t or > failover 

Specify failover method (disabled, serial, 

route) [disabled] >serial 

Checking for failover unit... 

Failover unit not detected or may not be 

configured . 

Is this machine Primary or Backup? [Primary] 

>primary 

Enter the Network side Online IP Address 

[10.6.3.200] > 

Enter the Server side Online IP Address 

[10.6.4.200] > 

Enter the Network side Online hostname 

[netonline] > 

Enter the Server side Online hostname > 

servonline 



Serial failover successfully configured 
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5. Save the Primary configuration. 
monitor>save 

List of currently saved configuration files (s) . 
You may save over an existing configuration file 
or enter a new name. 
File name 



active . cf g 
backup . cf g 
cris . cf g 

'active. cfg' is the last booted 
Enter configuration file name ( 

[active. cfg] > 

Configuration has been saved. 

6. Boot the SA8220. 

monitor>boot 

Do you really want to continue boot? [y] 

> <Enter> 

Boot which configuration? [active. cfg] 

> <Enter> 

Please stand by, the system is being booted. 

.... Done 
Login> 

Configure the Backup SA8220 

1 . Reboot the S A8220 that will be the Secondary and press a key at 
the prompt to enter the Boot Monitor. 

2. At the prompt, type the following command: 

moni t or > failover 

3. Follow the prompts as listed below: 

Specify failover method (disabled, serial, 

route) [ ] >s 

Checking for failover unit. . . 
Failover unit detected 



Version : 2.3 

Type : PRIMARY 

State : ONLINE 

Name : onlinel3 



configuration. 
- to cancel) : 
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NOTE: Use the same 
Online IP Address and 
name for the Backup 
SA8220 as the Primary 
( these appear by default). 



IP 
Mac 



13.1.1.20 
0:l:c9:ed:a6:fb 



Is this machine Primary or Backup? [Backup] 
> <Enter> 

Enter Online IP Address [13.1.1.20] > <Enter> 

Enter Online Name [onlinel3] > <Enter> 

Serial failover successfully configured 
monitor> 

4. Save the Backup configuration. 



monitor>save 

List of currently saved configuration file(s) . 
You may save over an existing configuration file 

or enter a new name. 
File name 



active . cf g 
backup . cf g 
cris . cf g 



'active. cfg' is the last booted configuration. 
Enter configuration file name (- to cancel) : 

[active. cfg] > 

Configuration has been saved. 

5. Boot the SA8220. 



monitor>boot 

. . . current configuration . . . 
. . . list of saved configuration files . . . 
Boot configuration file name? [active. cfg] 

> <Enter> 

Do you really want to boot 'active . cfg' ? [y] 

> <Enter> 

Please stand by, the system is being booted. 
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Replicating the Configuration 

The active configuration is replicated upon changes to the Backup 
SA8220 from the Primary. For most configurations, faults are 
detected within 3 seconds, and the Backup is fully online within 25 
seconds. The latter interval increases as the number of services 
increases. 

Status Information 

You can display information about the SA8220s' function and 
failover status either via the Command Line Interface or the GUI. 
Below are the commands to display status information followed by a 
list of status messages and their explanations. 

1. Log in to the SA8220. 

2. At the CLI prompt, type the following command: 
HP SA8220>info 

The status appears on the last line of the info command's output. 
A description of the status message can be found below. 

Failover Status Message Description 



The broker is ONLINE, and 
serial failover is NONE 
(disabled). 

The broker is PRIMARY and 
ONLINE, the remote's serial 
failover is NONE (disabled). 

The broker is PRIMARY and 
ONLINE, the remote's state is 
READY 



The broker is BACKUP and 
READY, and the remote's 
state is ONLINE. 



One of the SA8220s is configured 
for either "none" or "route" 
failover. 



One of the SA8220s is configured 
for either "none" or "route" 
failover. 



Normal Serial Failover Operation 
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Failover Status Message Description 

The broker is PRIMARY and Ethernet cable disconnected, or 

NIC_FAILED, and the cable, NIC, or HUB port failure 
remote's state is ONLINE. 



The broker is BACKUP and 
ONLINE, and the remote's 
state is NIC_FAILED. 

The broker is PRIMARY and The serial cable connecting the 
ONLINE, the connection to SA8220s is disconnected 
the remote has TIMED OUT 



The broker is BACKUP and 
IP_IN_USE_ERROR, the 
connection to the remote has 
TIMED OUT 
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NOTE: The notation, 
PRIMARY/BACKUP 
indicates that either 
"PRIMARY" or 
"BACKUP" will be 
displayed. 



The Failover Status messages in this table are not specific to the 
Primary or Backup SA8220s. 

Failover Status Message Description 



The broker is PRIMARY/ 
BACKUP and 
WAITING_FOR_SYNC 



One of the SA8220s has been 
restarted. This status persists 
while the configuration files are 
loaded from the online SA8220. 
The time this state persists 
depends on the number of VIPs 
and services configured. 



The broker is PRIMARY/ 
BACKUP and 
CONFIGURATION. 
ERROR 



Both SA8220s are configured as 
Primary or as Backup. Neither 
SA8220 will come online until 
this condition is corrected 



The broker is PRIMARY/ 
BACKUP and DNS FAILED 



The online IP address is missing 
form both the local host file and 
the DNS server. 



The broker is PRIMARY/ 
BACKUP and 
CORE_APP_FAILED. 

The broker is PRIMARY/ 
BACKUP and 
RICH APP FAILED. 



Indeterminate error. Use an earlier 
working configuration. If the 
condition persists, contact 
Customer Support for assistance. 
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Notes 
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Boot Monitor 



NOTE: For ease of 
reading, all models are 
referred to as the SA8220 
throughout this 
document. Unless noted 
otherwise, all SA8220 
references refer to all 
models. 



This chapter covers the following topics: 

• System Requirements 

• Accessing the Boot Monitor 

• Boot Monitor Commands 
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Using the Boot Monitor CLI 



CAUTION: After 
configuring the SA8220 
with the Boot Monitor, 
you must enable Autoboot 
with the autoboot 
command or the SA8220 
will not operate. 



The HP e-Commerce Traffic Director Server Appliance SA8200/ 
SA8220s' and the HP Traffic Director Server Appliance SA7200/ 
SA7220s' Boot Monitor Command Line Interface (CLI) allow you to 
configure boot options and manage boot configuration files. 
Typically, you will use the Boot Monitor only during the initial 
configuration or after major reconfigurations, if the latter becomes 
necessary. Day-to-day operations are managed using the Graphical 
User Interface (please see "Graphical User Interface", Chapter 4) or 
the Run Time CLI (please see "Command Line Interface, Chapter 5). 

General categories of tasks performed by the Boot Monitor include: 

• Configure and display boot options, including the configuration 
file 

• Manage the boot configuration file system 

• Configure and change IP parameters 



System 
Requirements 



You can use any terminal or workstation with a terminal emulator as 
the CLI command station, provided the terminal has the following 
features: 

• 9600 bits per second, 8 data bits, 1 stop bit no parity, no flow 
control (9600-8-N-l) 

• A terminal emulation program, such as Hyper Terminal* 

• Cable and connector to match the male DTE connector (DB-9) 
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Accessing the 
Boot Monitor 



You can access the Boot Monitor Command Line Interface in either 
of the two ways described in this section. 

Interrupting the Bootup Sequence 

1 . Interrupt the S A8220's bootup sequence by pressing a key at the 
following prompt: 

Press any key to stop autoboot . 

In a few seconds the monitor> prompt displays, confirming 
that the Boot Monitor is running: 

Using the Run Time CLI 

1 . Type this command at the prompt: 

config sys autoboot disable 

2. Then, at the hp SA8220# prompt, type this command: 

reboot 

The monitor> prompt displays, confirming that the Boot 
Monitor is running. 
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Boot Monitor 
Commands 



Boot Monitor CLI commands (listed below) are described in this 
chapter. 



autoboot 

boot 

delete 

dhcp 

dir 

dns 

dual 

factory_reset 
failover 



info 

interface 



IP 

load 

netmask 

rich_bias 



save 



settime 



setup 

static_routes 



gateway 
help 



version 



host 



autoboot Enables or disables the Autoboot function. When Autoboot is 



enabled, the SA8220 prompts you to press a key during restart to 
enter the Boot Monitor command line interface. If you ignore the 
prompt, restart finishes with the SA8220 in normal operating mode. 
If Autoboot is disabled, the restart sequence ends by displaying the 
Boot Monitor interface. 

Example: 

monitor>autoboot 

Enable Autoboot? (yes, no) [yes] > 



boot Boots the device with a specific configuration. Variations on use of 



the reboot command are described below. 

Reboot with No Configuration Changes 

1 . Type the boot command. 

The Boot Monitor displays the current configuration prompts 
you for confirmation, as shown in the example below: 



44 



CHAPTER 3 



Using the Boot Monitor CLI 



Current active configuration 



Product : 


hp SA8220 






Version : 


2 . 7 






Patch Level : 


0.0 






Build: 


12 






Current time: 


Tue Sep 12 17: 


02 : 05 


200 


Hostname : 


CSLab7k 






Network side NIC: 








IP Address: 


10.6.3.21 






Netmask : 


255 . 255 .255 . 0 






MAC address: 


0 : aO : c9 : ed: 6c : 


cc 




Service side NIC: 








IP Address 


10.6.5.21 






Netmask : 


255 . 255 .255 . 0 






MAC address: 


0:d0:b7:6:cl:8 


5 




Default Gateway: 


10.6.3.1 






Domain : 


None 






Primary name server: 


None 






DHCP : 


Disabled 






Failover mode: 


Disabled 






Network NIC setup: 


Auto 






Server NIC setup: 


Auto 






NTP : 


Disabled 






Autoboot : 


Disabled 






Static Routes : 


None 






RICH_Biased: 


Enabled 






Do you really want to 


boot active. cfg? 


[y] - 


> 



2. To boot to the normal operational prompt, type y. 

3. To return to the monitor > prompt, type n. 
Reboot with Configuration Changes 

When you use the boot command after changing the SA8220's 
configuration, you are presented with a number of options. These 
allow you to use the changed configuration, revert to the last saved 
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configuration, or choose among a list of previously saved 
configurations. Procedures for choosing among these options are 



anized within three groups, described below. 
Type the boot command. 

The Boot Monitor displays the changed configuration 
information and prompts you to save the new configuration, as 
shown in the example below: 

Current active configuration 


Product : 


Hr o/\OZZVJ 




Version : 


Z . 1 




Patch Level : 


0 . 0 




Build : 


12 




Current time: 


Tue Sep 12 17:02 


: 05 2000 


Hostname : 


CSLab / k 




Network side NIC: 






IP Address: 


10 . 6 . i . 21 




Netmask : 


2oo . Zoo . Zoo . U 




MAC address : 


0 : aO : c 9 : ed : 6c : cc 




Service side NIC: 






IP Address 


10.6.5.21 




Netmask : 


255 . 255 .255 . 0 




MAC address: 


0:d0:b7:6:cl:85 




Default Gateway: 


10.6.3.1 




Domain : 


None 




Primary name server: 


None 




DHCP : 


Disabled 




Failover mode : 


Disabled 




Network NIC setup: 


Auto 




Server NIC setup: 


Auto 




NTP : 


Disabled 




Autoboot : 


Disabled 




Static Routes : 


None 




RICH_Biased: 


Enabled 




The configuration has 


changed, save it? 


[y] — > 
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First Options: 



NOTE: This list includes 
backup . cf g, a backup 
of the most recently 
booted configuration. 
This file is automatically 
created when you change 
the configuration and 
save. 



1 . If you select the default, y, the system allows you to save the con- 
figuration as either active . cf g or the last loaded filename. 

Configuration file name? [active. cfg] > 

2. You can either accept the default, act ive . cfg, or type a new 
filename. The system then saves the file and presents a list of all 
saved files. 

Select a boot configuration from the following 

files . 
active . cfg 
backup . cfg 

Boot configuration file name? [active. cfg] > 

3. You can accept the default, active . cfg, or select another 
previously saved configuration. Regardless of the file you select, 
the configuration file you are about to boot is displayed to ensure 
that the last file displayed is the configuration that is booted. 

4. If you select the default, y, the system boots to the normal 
operational prompt, if you type n, it returns to the monitor > 
prompt. 

Second Options: 

1 . If you choose not to save the modified file, the system displays a 
warning that it is reverting to the previously booted configura- 
tion, as shown below: 



Warning: The current configuration has NOT been 
saved and will not be booted. Reverting to last 
saved active. cfg. 

If there are no additional saved configurations then the system 
prompts you to confirm that want to boot the last saved 
configuration, which will always be active . cfg. 
Do you really want to boot active. cfg? [y] > 

If you select the default, y, the system boots to the normal 
operational prompt. If you type n, it returns to the monitor> 
prompt. 
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Third Options: 

1. If there are any previously saved configurations on the system, 
you are offered a choice of configuration files to boot from. 

Select a boot configuration from the following 

files . 
active . cf g 
backup . cf g 

Boot configuration file name? [active. cfg] > 

2. You can accept the offered default, active . cfg, or select 
another previously saved configuration. If you select 
active . cfg, the configuration is not redisplayed. If you select 
a file other than act ive .cfg, the file's contents are displayed to 
ensure that the last file displayed is the configuration that is 
booted. 

3. If you select the default, y, the system boots to the normal 
operational prompt, if you type n, it returns to the monitor> 
prompt. 

delete Deletes the specified configuration file. 
Example: 

monitor>delete 

Select a configuration to delete from the 

following files. 
Note: You cannot delete the active 

configuration file active. cfg. 
File name 



active . cfg 
backup .cfg 
cris . cfg 

'active. cfg' is the last booted configuration. 
Enter the configuration filename to delete: 

>brokerl . cfg 

brokerl.cfg successfully deleted. 
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dhcp Enables or disables the SA8220's use of DHCP. When DHCP is 

enabled, the SA8220 receives its configuration parameters from the 
DHCP server at startup. When DHCP is disabled, the S A8220 ignores 
the DHCP server, and so it must be manually configured at restart. 
Respond to the prompt with y to enable, or n to disable. DHCP is 
disabled by default. 

Example: 

monitor> dhcp 

Enable DHCP (yes, no)? [no] > 

dir Displays the list of saved boot configuration files. 

dns Specifies the domain and (optionally) nameserver(s). The system 
prompts you for the required information. 

Example: 

Would you like to configure DNS (yes, no) ? 

[no] > 

monitor>dns 

Would you like to configure DNS (yes, no) ? 

[no] >yes 

Enter Domain name ( , -' to cancel) 

>mydomain . com 

Enter the IP Address of the Primary name server 

T-' to cancel) >10.6.3.5 

Specify additional name server 

( <return> to end ) >10.6.3.10 

Specify additional name server 

( <return> to end ) > 

dual Selects single or dual NIC operation. 
Example: 

monitor>dual 

Enable dual NIC operation (yes, no) [no] > 
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factory_reset Resets the system to factory defaults, listed below. 

NOTE: The first boot 

aftera f actory_reset 
command or a new 
installation will prompt 
you for the root 
password. Also, the 
f actory_reset 
command does not delete 
saved configuration files. 



IP address 


Deleted 


Default route 


Deleted 


Hostname 


Deleted 


Domain 


Deleted 


Name servers 


Deleted 


DHCP 


Disabled 


Dual NIC 


Disabled 


Failover mode 


Disabled 


Autoboot 


Disabled 


Autoboot timeout 


5 seconds 


Added hosts in the host file 


Deleted 


New root password on next boot 


Forced 


Rich bias 


Enabled 


Static routes 


Deleted 



Parameter 


Setting 


All added user accounts 


Deleted 


Policy groups, services, and servers 


Deleted 


Route parameters 


Deleted 



CLI parameters Deleted 
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failover Specifies the SA8220's failover method. Three failover options are 
available: 

• disabled: no failover method will be used 

• serial: serial cable failover will be used 

• route: router failover will be used 
Example: 

moni t or > failover 

Specify failover method (disabled, serial, 

route) : [disabled] >serial 

Checking for failover unit... 

Failover unit not detected or may not be 

configured . 
Is this machine Primary or Backup? 

[Primary] > 

Enter the Network side Online IP Address 

— >10. 6.3.200 
Enter the Server side Online Address 

— >10. 6.5.200 
Enter the Network side Online hostname 

>net-onlinehost 

Enter the Server side Online hostname 

>serv-onlinehost 

Serial failover successfully configured 

gateway Specifies the default gateway. 

Example: 

moni tor gateway- 
Enter default gateway: >10.6.3.1 

help Lists all Boot Monitor commands or optionally displays syntax for a 
specified command. 

Example: 

gateway Set default gateway 

interface Configure network interface card 
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host Sets the S A8220' s host name. 
Example: 

monitor>host 

Enter the hostname you would like to assign to 
the Network NIC: >CSLab7k 

info Displays the current boot configuration. 

interface Configures Ethernet port parameters. Compatibility with some older 
switches, hubs, or routers, may require that you manually specify the 
Ethernet speed and duplex mode of the SA8220's network interface 
card. 

Single NIC configuration example: 

Auto configure the network NIC speed and duplex 
(yes, no)? [yes] >no 

1 - 100BaseTX 

2 - lOBaseTx 

Select Media Type (1 or 2) : [1] >2 

Use Full Duplex? [n] >n 

Dual NIC configuration example: 

Auto configure the Network side NIC speed and 

duplex (yes, no)? [yes] > 

Auto configure the Server side NIC speed and 

duplex (yes, no)? [yes] > 

ip Specifies the SA8220's IP address. 

Example: 

monitor>ip 

Enter the IP address for the Network side NIC 

[10.6.3.21] > 

Enter the IP address for the Server side NIC 

[10.6.5.21] > 
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load Loads a previously saved configuration file into memory. 
Example: 

monitor>load 

Select a configuration file to load from the 

following files. 
File name 



active . cf g 
backup . cf g 
cris . cf g 



netmask 



'active. cfg' is the last booted configuration. 
Enter the configuration filename to load 

(- to cancel) : [active. cfg] > 

Configuration loaded: active. cfg 

Specifies the netmask. 

Example: 



rich-bias 
(not available on the 
SA7200) 



monitor>netmask 

Enter Netmask for Network side NIC 

[255.255.255.0] > 

Enter Netmask for Service side NIC 

[255.255.255.0] > 

Optimizes RICH_HTTP service performance. If your RICH_HTTP 
service responses consist mostly of files greater than 8K, the enabled 
(default) setting of rich_bias will optimize performance. If your 
site is experiencing performance problems and the RICH_HTTP 
service responses are less than 8K, you may want to disable 
rich_bias. 

This command has no effect on SSL terminated connections. 
Example: 



monitor>rich_bias 

Unit is currently , RICH_Biased' , change it 

(yes, no) [no] >yes 

RICH_Biased (enable, disable) [enable] 

>disable 
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save Saves the current configuration. Changes made during the current 
Boot Monitor session are lost unless you use the s ave command. 

Example: 

monitor>save 



List of currently saved configuration file(s) . 
You may save over an existing configuration file 

or enter a new name. 
File name 



active . cf g 
bckup . cf g 
cris . cf g 



'active.cfg' is the last booted configuration. 
Enter configuration file name (- to cancel) : 
[active. cfg] >-monitor> 

settime Selects a method for setting the SA8220's system time and date. If 
you select NTP, you will be prompted for the IP address of the NTP 
server(s) you want to use. If you set the date manually, you will be 
prompted first for the timezone, then for the date in 24-hour format. 

Example, with NTP: 



NOTE: Example 1 is for 
setting the time using 
Greenwich Mean Time 
( GMT). For example, the 
GMT- 14 timezone is 
GMT minus 14 hours. 



monit or > settime 

Use NTP? [enable] > 

Enter IP address of NTP server or <return> to 

end: >209 . 218 . 240 . 1 

Enter IP address of NTP server or <return> to 

end: >209 . 218 . 240 . 238 

Enter IP address of NTP server or <return> to 
end: > 

Example 1, without NTP (manual setting): 

monit or > settime 

Use NTP? [disable] > 

Select TIMEZONEs to list (GMT, US, Other or q to 
quit: [GMT] >GMT 
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Select a TIMEZONE from the 'GMT' list. 



1) GMT-14 
4) GMT-11 
7) GMT-8 
10) GMT-5 
13) GMT-2 
16) GMT+1 
19) GMT+4 
22) GMT+7 
25) GMT+10 



2) GMT-13 
5) GMT-10 
8) GMT -7 
11) GMT -4 
14) GMT-1 
17) GMT +2 
20) GMT +5 
23) GMT +8 
2 6) GMT+1 1 



3) GMT-12 
6) GMT- 9 
9) GMT- 6 
12) GMT- 3 
15) GMT 



18) GMT+3 
21) GMT+6 
24) GMT+9 
27) GMT+12 



NOTE: Example 2 is for 
setting the time using 
United States time (US). 



Select a number between 1 and 27 
(q to quit ) >2 

Selected TIMEZONE 'GMT-13' 

The current time is now: Fri Sep 29 05:38:38 
GMT-13 2000 

Enter the year (YYYY) : [2000] > 

Enter the month (MM) : [09] > 

Enter the day (DD) : [29] > 

Enter the hour (HH) : [05] > 

Enter the minute (MM) : [38] > 

Enter the seconds (SS) : [38] > 

Fri Sep 29 05:38:38 GMT-13 2000 

Example 2, without NTP (manual setting): 

monitor>settime 

Use NTP? [disable] > 

Select TIMEZONEs to list (GMT, US, Other or q to 
quit: [GMT] >US 

Select a TIMEZONE from the 'US' list. 

1) Alaska 2) Aleutian 3) Arizona 

4) Central 5) Eastern 6) Hawaii 

7) Indiana-East 8) Indiana-Starke 9) Michigan 
10)Mountain ll)Pacific 12)Somoa 

Select a number between 1 and 12 
(q to quit) : [11 } >5 
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Selected TIMEZONE 'Eastern' 

The current time is now: Sat Oct 28 23:59:42 
2000 

Enter the year (YYYY) : [2000] > 

Enter the month (MM) : [10] > 

Enter the day (DD): [28] >29 

Enter the hour (HH) : [23] >01 

Enter the minute (MM): [59] — >57 

Enter the seconds (SS) : [39] > 

Sun Oct 29 01:57:39 EDT 2000 

Example 3, without NTP (manual setting): 

NOTE: Example 3 is for 
setting the time using any 
timezone OTHER THAN 
GMT or US. 



monitor>settime 

Use NTP ? [disable] > 

Select TIMEZONEs to list (GMT, US, Other or q to 
quit: [GMT] >0 



Select a TIMEZONE from the 'Other' list. 



1 ) Bangkok 
4) Berlin 
7 ) Hongkong 
1 0 ) London 
13) Paris 
1 6 ) Prague 
19) Stockholm 
22) Zulu 



2) Belfast 
5) Brussels 
8) Israel 
ll)Madrid 
14) Poland 
17) Rome 
20) Turkey 
23) Zurich 



3) Belgrade 
6) Copenhagen 
9) Japan 
12) Manila 
15) Portugal 
18) Singapore 
2 1 ) Warsaw 



Select a number between 1 and 23 (q to quit) : 
[10] >22 



Selected TIMEZONE 'Zulu' 

The current time is now: Sat Oct 28 23:59:42 
2000 

Enter the year (YYYY): [2000] > 

Enter the month (MM) : [10] > 

Enter the day (DD): [28] >29 

Enter the hour (HH) : [23] >01 

Enter the minute (MM): [59] — >57 

Enter the seconds (SS) : [39] > 

Sun Oct 29 01:57:39 EDT 2000 
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setup Initiates the SA8220's setup procedure. The system displays prompts 
for all inputs necessary to initialize it. 

Example: 

monit or > setup 

Enable dual NIC operation (yes , no) ? [no] > yes 

Autoconf igure the Network side NIC speed and 

duplex? (yes, no)? [yes] > 

Autoconf igure the Server side NIC speed and 

duplex? (yes, no)? [yes] > 

DHCP is disabled for dual NIC operation. 
Enter the hostname you would like to assign to 

the Network NIC: >CSLab7k 

Enter the IP address for the Network side NIC 

>10. 6.3.21 

Enter the IP address for the Server side NIC 

>10. 6.5.21 

Enter the Netmask for the Network side NIC 

>255. 255. 255.0 

Enter the Netmask for the Server side NIC 

> [255 . 255 . 255 . 0] >255 . 255 . 255 . 0 

Enter default gateway: >10.6.3.1 

Would you like to configure DNS (yes, no)? [no] 

>DNS not configured. 

Specify failover method (disabled, serial, 

route) : [disabled] > 

Set Autoboot? (yes, no) [no] > 
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Static_routes Deletes and adds any number of static IP routes. Shows the current 
static IP routes (if any) when the function is entered. You are 
prompted for the destination and gateway IP addresses. The info 
command will show any static IP routes that are known to the Boot 
Monitor, and f actory_reset will remove all static IP routes as 
part of its cleanup. 

Example: 

monitor>static_routes 



Static Route information. 



Enter Static route (1) dest IP (- to del, q to 

quit) : >10.7.16.5 

Enter Static route (1) qate IP (- to del, q to 

quit) : >10.8.15.40 



Enter Static route (2) dest IP (- to del, q to 

quit) : >10.7.18.50 

Enter Static route (2) qate IP (- to del, q to 

quit) : >10.8.15.40 

Enter Static route (3) dest IP (- to del, q to 

quit ) : >q 

{2} Static Route (s) . 

version Displays software version information. 

Example: 



monit or > version 

Product: HP SA7220 

Version : 2.4 

Patch Level: 0.1 

Build: 40 
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Graphical User 
Interface 



NOTE: For ease of 
reading, all models are 
referred to as the SA8220 
throughout this 
document. Unless noted 
otherwise, all SA8220 
references refer to all 
models. 



This chapter covers the following topics: 

• Before You Begin 

• Logon Screen 

• Topology Screen 

• Policy Manager Screen 

• Administration Screen 

• Configuration Screen 

• Tools Screen 



Statistics Screen 
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Before You Begin 

NOTE: Some functions The HP e-Commerce Traffic Director Server Appliance SA8200/ 
and features are not SA8220s and HP Traffic Director Server Appliance SA7200/ 

available in the GUI. SA7220s have features and functions that are controlled through 

either the browser-based Graphical User Interface (GUI), as 
discussed in this chapter, or the Command Line Interface (CLI), as 
discussed in Chapter 5. 

In order to use the inside IP or inside online IP for administration, the 
client must be on the same subnet as the inside interface, or must have 
an alternate path back through the outside interface. 
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Logon Screen 



To access the various GUI services available to you on the SA8220, 
you must first log on to the system as described in this section. 



Logging on to 
the GUI 



NOTE: If Internet 
Explorer* 5.01 (or later) 
is your browser, you must 
add a trailing slash (/) to 
the URL, as shown in step 
(2). Also, the default GUI 
port ( 1095) can be 
changed. For details, 
please see "GUI Tab" in 
this chapter. 



1 . Launch your browser. 

2. In your browser's Address or Location field, type the S A8220's 
address and specify port 1095. For example: 

http : // system_name : 10 95/ 

where systemjiame is the actual name or IP address of your 
SA8220. 

3. Press Enter. 

The Logon screen displays, as shown below. 



3 fldmin Applet -Microsoft Internet Ewplarer I | i 
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Logon Screen 
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NOTE: The factory 4. 
default for both the user ^ 
name and password is 
admin (lowercase 6. 
required). To change 
them, please see "Users 
Tab " in this chapter. 



In the space provided, type your User name. 
In the space provided, type your Password. 
Click Logon. 

The Topology screen displays, as shown on the next page. The 
number of server icons varies, depending upon your network 
configuration. 



62 



CHAPTER 4 



Topology Screen 




Using the Purposes of the Topology Screen 

Topology * Displays a graphical representation of the current topological 

C« r «A n relationships between the SA8220 and network servers. The 

v. ■ , « w. SA8220's status and Serial Cable failover, if configured, are also 

reflected here. 

• Serves as a gateway to the Administration and Policy Manager 
screens, and the Configuration and Tools screens. 
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Topology Screen Toolbar 

Policy 
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Configuration Tools Statistics 

Topology Screen Toolbar 



Located at the top left of the window, the toolbar is shown above. 
The toolbar's buttons, from left to right, are described below: 

• Back returns you to the previous screen. From the Topology 
screen, this will log you off the system and return you to the 
logon screen. 

• Configuration displays the Configuration Screen 

• Administration displays the Administration Screen 

• Tools displays the Tools Screen 

• Policy Manager displays the Policy Manager Screen 

• Statistics displays the Statistics Screen 

• Log File displays the SA8220's log file. 

Online Help 

13 

Online Help Button 

Located at the top right of the window, the Help button is shown 
iabove. Click Help to display the online help file. 
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Topology Screen Elements 




SA8220Icon 

The S A8220 is represented onscreen by a horizontal "rack unit" icon, 
as shown above. 

• Right-clicking on the SA8220 icon displays a popup menu that 
can take you to other screens. 

• Double-clicking the SA8220 icon takes you to the Policy 
Management screen by default, but this can be changed in the 
Administration screen (please see "Administration Screen" in 
this chapter). 





Server Icon 

Servers are represented onscreen by vertical "tower case" icons, as 
shown above. 

• Right-clicking on a server icon displays a popup menu that can 
take you to other screens. 

• Double-clicking the server icon takes you to the Statistics screen 
by default, but this can be changed in the Administration screen 
(please see "Administration Screen" in this chapter). 
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Window Controls 




Slider Control 



To resize the Topology screen elements, click and drag the slider 
control located in the upper right hand corner of the screen, as shown 
above. 

• Move the slider control to the far right, as shown above, for the 
largest display. 

• Move the slider control to the far left for the smallest display. 




Background Zoom and Refresh Control 

The Topology screen elements can also be resized by right- clicking 
on the background of the screen. The popup menu shown above 
displays onscreen. 

• Zoom In enlarges the display and is the equivalent of moving the 
slider control to the right. 

• Zoom Out reduces the display and is the equivalent of moving the 
slider control to the left. 

• Refresh Display updates the Topology screen. 
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Policy Manager Screen 



When you double-click a SA8220 icon in the Topology screen (or 
right-click and select Policy Management), the Policy Manager 
screen displays, as shown below. 
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Policy Manager Screen 

The Policy Manager consists of a series of screens with multiple tabs 
that includes the controls used in the implementation of Policies. The 
discrete items created, altered, and deleted in the course of Policy 
management are listed below: 

• Policy Groups 

• Services 

• Servers 
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Policy 
Manager 
Controls and 
Displays 



The Policy Manager screen contains two main regions, as described 
below: 

• The Policies display, on the left side of the Policy Manager 
screen 

• The Details display, on the right side of the Policy Manager 
screen 

The relative sizes of the Policies and Details displays are adjustable 
by clicking and dragging the vertical line between the panels. The 
Policies display includes existing Policy Groups, Services, and 
Servers, reflecting the previously mentioned hierarchy. The Details 
display includes controls and status displays relating to the item 
selected in the Policies display, and changes according to the type 
(Policy Group, Service, or Server) of the item selected. If a Service or 
Server is selected, then the Details screen contains two tabs, each 
containing related controls. 

The three types of items form a hierarchy: policy groups contain 
Services. Services in turn contain Servers. A lower hierarchy item 
cannot be created unless its immediately superior type exists, that is, 
a policy group must exist before you can create a Service, and a 
Service must exist before you can create a Server. 



Policy 

Manager 

Toolbar 



New 

Policy 

Group 



New 
Server 




New 
Service 



ete 
Selected 
Item 



Policy Manager Toolbar 
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The Policy Manager toolbar contains three buttons for creating Policy 
Groups, Services and Servers, and one button to delete the currently 
selected item, regardless of its type. The toolbar's buttons are enabled 
or disabled (dimmed) according to the type of item selected in the 
Policies display. 



Policy 
Manager's 
Pop-up Menu 



You can display the Policy Manager' s pop-up menu, shown below, 
by right-clicking in the Policies display. 



Display 

Commands 



Sort _ 
Commands 



Create/ 
Delete — 
Commands 



Expand All Items 
Collapse All Items 
Reload Tree Data 
Refresh All Statuses 
Refresh Interval ... 



* Sort by Name 
Sort by Priority 



New Policy Group 
New Service 
New Server 
Delete Selected Item 



Policy Manager's Pop-up Menu 



Policy Groups 



Services are virtual resources provided to a client. However, Services 
can exist only in the context of Policy Groups. Policy Groups are 
regarded as containers used to organize Services. Therefore, before 
Services can be defined, Policy Groups must be created to contain 
them. 

The Policy Manager's Policy Group Details screen provides two 
functions: 

• Naming of newly created Policy Groups 

• Enabling or disabling of the selected Policy Group's throttling 
function 
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Creating Policy Groups 

You can create Policy Groups in either of two ways: 

1 . Click New Policy Group, in the left of the Policy Manager 
toolbar, or 

2. Right-click to display the menu, then select the New Policy 
Group command. 

A new Policy Group icon and the Detail screen displays in the 
Policies display, as shown below. 



NOTE: The names of 
existing Policy Groups 
cannot be changed. 




Adding a New Policy Group 

3. Type a name for the new Policy Group in the Policy Group Name 
field. Policy Group names must adhere to the following 
conventions: 

• From 1 to 25 characters in length 

• Any alphanumeric character 

• Other eligible characters include hyphens ("-"), periods ("."), and 
underscores ("_") 

• Spaces must not be used. 

Within these restrictions, the naming of Policy Groups is at your 
discretion, though convenient naming schemes might include 
serial names ("Groupl," "Group2," etc.), or names that reflect a 
Policy Group's content, such as "e-CommerceGrp" or 
"HTTP_Group." 
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Details for NewPolicyGroup 



\~ Enable Server Throttling 



Policy Group Name: 



Groupl 





Naming the New Policy Group 



4. To accept the specified name, click Apply. The new Policy 
Group's new name displays in the Policies display. 

When the new Policy Group name displays, Create Service (see 
above), becomes available. This reflects the fact that Services 
cannot be created unless at least one Policy Group already exists. 

Throttling 

When throttling is enabled, requests to eligible servers in lower- 
priority services are stopped until response times of higher priority 
services are met, or all eligible servers have been throttled. An 
eligible server is one that is shared by both higher and lower priority 
services. Throttling affects all services within a Policy Group. 

To enable or disable throttling for the selected Policy Group, follow 
the steps below: 

1 . Select the Enable Server Throttling check box (see figure above). 

2. Click Apply. 

Deleting Policy Groups 

To delete a Policy Group, follow the steps below: 

1 . In the Policies display, click to select the name of the Policy 
Group to be deleted. 

2. In the Policy Manager toolbar, click Delete (X), or right-click to 
display the menu and click the Delete Selected Item command. 
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Services 



Once a Policy Group exists, you can create Services. 

Creating Services 

Follow these steps to create a Service: 

1. In the Policies display, click to select a Policy Group. 

2. In the Policy Manager toolbar, click New Service, or right-click 
in the Policies display and select New Service from the pop-up 
menu. 

The Service Details tab displays in the Details screen, as shown 
below. 



NOTE: All fields 
mentioned in steps (3) 
through (6) become read- 
only after the service is 
created. 
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Service Name: 
Service Type: 
Priority (1-5): 

Duplicate SYN Timeout (rnics): 
Server Timeout (sec): 



Sticky Mode 

Sticky timeout (sec): 

Virtual IP: 

Port: 

Protocol: 

Status: 



I - Enable Backup Servers 

W Insert Source IP in HTTP Header 

C Disabled C Source IP rT Cookie 
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Service Details Tab 

3. In the Service Name field, Type a name for the service. 

4. From the Service Type pull-down menu, click the desired Service 
type. The choices are HOT TCP (the default), or RICH_HTTP. 
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NOTE: The VIP/port 
combination must be 
unique. 



5. From the Virtual IP pull-down menu, click the desired Virtual IP 
(VIP) address. If there are no VIPs in the menu, or if the desired 
one is absent, type it in. 

6. Type a port in the Port field. The port is the listening port for 
incoming connections, and you can select port numbers between 
1 and 65535. 

7. When you have finished filling in the fields in the Service Details 
tab, click Apply. 

The Policies display now reflects the name of the new Service 
below the name of the Policy Group from which it was created. 



Additional Service Tab Controls and Displays 

The items listed below can be changed after the Service has been 
created. 



Control or Display Description 

Enabled Select this check box to activate the selected Service. Clear the check 

box to disable the Service. 

Priority Services within a single Policy Group can be prioritized. The SA8220 

assures more server resources to Services with high priority numbers 
than to those with lower numbers. The Priority setting is an integer 
from 1 (highest priority) to 5 (lowest priority), and the default is 1. 



Duplicate SYN This value is the time interval (in microseconds) after which the 

Timeout fulfillment server is declared dead if the dynamically calculated 

number of duplicate SYNs (lost packets) to that server is detected. You 
can specify a value from 1000 to 2,147,483,647, and the default is 
500,000. 



Server Timeout 
(RICH only on all 
models except the 
SA7200) 



This value is the time interval (in seconds) during which a server must 
respond before it is declared dead. If the server fails to respond before 
the end of timeout interval, the outstanding request is passed to another 
server. This value is only available for RICH_HTTP services. 



Enable Backup 
Servers 



This check box allows you to enable or disable servers designated as 
type "Backup" to come on line if necessary to assure target response 
times. For more details about servers, please see "Servers" in this 
chapter. 
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Control or Display Description 

Insert Source IP in This check box specifies whether or not the Source IP address is 

HTTP Header embedded within the HTTP header information. 

(RICH only on all 

models except the 

SA7200) 

The SA8220 is configured to maintain a session's state so that serial 
requests from a single client are allocated to the same server. This is 
called a "sticky" port. This setting may be disabled, based on Source 
IP, or based on a Cookie as described below: 

Source IP: Source IP sticky mode uses the client's source IP address 
to identify a series of requests to be directed to a single server. 

Cookie: In cases where requests come through a proxy server, all 
requests display to originate from that server's IP address, thus IP 
address is of no use in identifying individual requestors. Cookie sticky 
mode provides an active method of identifying requestors in such 
situations. When Cookie sticky mode is enabled, a cookie is given to 
requesting browsers. Subsequent requests from clients who have 
received cookies contain identifying information allowing the SA8220 
to direct them to a single server. Cookie mode is available only for 
RICH_HTTP, so it is not available on the SA7200. 

Sticky Timeout The current software version for the SA8220 treats the timeout 

differently for cookie versus Source IP sticky. With Source IP sticky, 
the timeout is reset with every connection from the client (so that the 
timeout is effectively an "idle time"). With cookie sticky, the timeout 
starts with the first connection from the client to the server, and never 
gets reset. When the cookie expires, even if actively being used, the 
next connection will be load balanced to a new server. 



Work around: We recommend that you set the cookie sticky timeout 
value to at least 1.5 times the maximum amount of time a user will 
expect to be stuck to a server. The default is 90 seconds. 



Protocol 


This read-only field displays the protocol of the Service (TCP). 


Status 


This read-only field displays the status of the selected Service 




("Active" or "Inactive"). 



Sticky Mode 



NOTE: If using SSL 
services on the 
SA8200/SA8220, the 
SSL session ID 
maintains a sticky 
relationship when 
Source IP sticky is 
selected 
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Balance Strategy 

HOT Services are assigned server resources according to either of 
two Balance Algorithms. Click the Balance Strategy tab of the 
Service Details screen to display the Balance Algorithm controls, as 
shown below. 
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Service Details Balance Strategy | 
Balance Algorithm: |Response Time 



Algorithm Parameters 
Max response time (ms): 



Service Balance Strategy Screen 



Two Balance Algorithms are available: 

• Response Time: Requests for a Service using the Response 
Time algorithm are forwarded to the server that can fulfill them 
within the shortest time. 

• Round Robin: Requests for a Service using the Round Robin 
algorithm are distributed evenly among the available servers. 

1 . From the pull-down menu, click to select the desired Balance 
Algorithm for the Service selected in the Policies display. If you 
select Response Time, type a value (in milliseconds) in the Max 
response time (ms) field. For more details, please see "Response- 
Time Metrics" in Chapter 2. 
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Deleting Services 

To delete a Service: 

1 . In the Tree, click select the name of the Service to be deleted. 

2. In the Policy Manager toolbar, click Delete, or right-click to 
display the menu and click the Delete Selected Item command. 



SGI"V6rS After you create Services, you must designate, or "create" Servers to 

fulfill client requests for Services. As Services must exist within 
Policy Groups, a Server (for example, a fulfillment host) must be 
mapped to a Service. 

To create Servers, follow the steps below: 

1. In the tree, click an existing Service. 

2. In the Policy Manager toolbar, Click Create Server, or right-click 
in the Policies display and click New Server from the pop-up 
menu. 

The Server Details tab displays in the Details screen, as shown 
below. 
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Server Name: 




Port: 


21 


Type: 


Primary 


■ 


Weight: 


1 


Status: 


Dead 


Mode: 


Brokered 





The Policy Manager's Server Detail Screen 

3. In the Server Name field, type an IP address or server name 
known to the SA8220 via DNS or static host table. This value 
cannot be changed after the server is created. 

4. If appropriate, edit the Port field. The default value is the port 
number of the Service under which this Server displays in the 
Tree. This value cannot be changed after the server is created. 
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5. From the drop down menu, click to select the desired Server 
Type. Available types are listed below: 

• Primary: Primary servers are immediately available to 
accept client requests forwarded from the SA8220. 

• Backup: Backup servers are sent requests under only two 
circumstances: First, when the primary servers are unable to 
meet the configured target response times a backup server 
may be used if and only if "backups" is enabled for this 
service. Second, backup servers are given requests when a 
primary server is unavailable. As primary servers become 
inactive, backup servers are brought into service to handle 
requests. 

• Disabled: Renders the server unavailable to accept client 
requests. 

6. From the drop down menu, click to select the desired Server 
Mode. This command enables or disables Source Address 
Preservation (SAP) on the named server. When Out-of-Path 
Return (OPR) is enabled, the user-designated server port is 
ignored and the configured service server port is used. By 
default, SAP is enabled (and cannot be disabled) when OPR is in 
effect. 

• For more details about SAP, please see Source Address 
Preservation" in Chapter 2. 

• For more details about OPR, please see "Out-of-Path Return 
(OPR)" in Chapter 2. 
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NOTE: OPR cannot be 
used in conjunction with 
Services of type 
RICH HTTP. 



RICH Controls (all models except the SA7200) 

If the type of the Service under which you create a Server is 
RICH_HTTP, the Server Details tab displays some additional 
controls, as shown below. 
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Server Details Screen with RICH Controls Displayed 
The RICH controls are listed below: 

• Multi-hop Source Address Preservation: It is possible in 
sophisticated network topologies to require that requests pass 
through two cascaded SA8220s. In such configurations, the 
SA8220 topologically closest to the clients must be configured 
with the MSAP feature enabled. In most configurations, the 
default setting (MSAP disabled) must be used. 

• 606 Error Detection: "606" is a user-defined error code, that is, 
you can specify an application level error as a "606 error" so it is 
detectable by the SA8220. When 606 Error Detection is enabled, 
requests that generate a 606 error are rerouted, transparently to 
the client, to the next available server. When disabled, the error is 
sent back to the requesting client. 
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• HTTP Error Detection: When HTTP Error Detection is 
enabled, requests that generate HTTP errors 401-405 and 500- 
503 are rerouted, transparently to the client, to the next available 
server. When disabled, these errors are sent back to the 
requesting client. 

• RICH Expression List: Expressions allow the SA8220 to parse 
requests at the levels of path name, file type, and filename and 
direct them to the appropriate server. Expressions can include 
wildcards. To define an expression list, type a series of 
expressions separated by the semicolon character into the RICH 
Expression List: field according to the following usage: 

Valid expressions include the following: 



Expressions containing more than one asterisk, e.g., /index*.* 

Expressions containing one or more spaces or the dollar sign ($) 
character 




Invalid expressions include the following: 

• Text on either side of the asterisk, e.g., /index*.gif 



File type expressions, such as *.gif, or */index.html 

Path expressions, such as /home/*, or /home/images/*, or /home/ 
images/a* 

Unique file expressions, such as /index.html 
Wildcard expression, such as * 

The negation operator (!), e.g., !*.gif, or !*/index.html 
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Order of Expressions (all models except the 
SA7200) 

When using expressions in Layer 7 (RICH) operations, the order of 
expressions is significant only when the "not" (!) operator is used. 

Expressions are described below. 



expression 


ViaIHe 

T leius 


r.gif;* 


All non-GIF files 


*;!*.gif 


All files, because after specifying "all" (*), 




the !*.gif expression is never reached 


!\html;/home/* 


Matches all entries of the form "/home/*" 




except HTML files 


/home/*;!*.html 


Matches all files of the form "/home/*." The 




!*.html has no effect. 


!/home/* 


No matches 


!/home/*;* 


all matches except ones starting with "/ 




home." 



Deleting Servers 

To delete a Server: 

1 . In the Tree, click the name of the Server to be deleted. 

2. In the Policy Manager toolbar, click Delete, or right click to 
display the menu and click the Delete Selected Item command. 
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Administration Screen 



The Administration Screen is a set of ten tabs containing the 
functions used to manage the S A8220. Each tab includes controls and 
displays related to a specific category of administration tasks. 



Opera 3 62 - [690:594 - Admin Applet] 





Administration Screen — Settings Tab 



Settings Tab 



The Settings tab includes controls used to set the following: 

• System ID: Edit this field to set the unit identifier. The SA8220s 
are shipped with the unit serial number in this field. You can use 
this control to change the identifier if your site requires alternate 
asset tracking information. The new ID can be an alphanumeric 
value from 1 to 64 characters. To change this value, type the 
desired identifier, and then click Apply. 



82 



CHAPTER 4 



Administration Screen 



• Server Verification Interval: Edit this field to change the 
interval in seconds at which servers are "pinged" to verify they 
are available and able to handle traffic requests. (See "IRV" in the 
Command Line Interface chapter). The valid range for this field 
is 0 to 99999. A value of 0 disables IRV. 

In addition to the above controls, the Settings tab also contains 
the following read-only displays: 

• System Name: Displays the name given the SA8220 in its initial 
configuration. 

• MAC Address: Displays the SA8220's Media Access Control 
address. 

• Status: The Status field displays information about the 
SA8220's function and failover status. For more details about 
status messages, please see "Status Information" in Chapter 2. 

SoftW3T6 Tflb The Software tab contains controls and displays allowing you to 

perform the following tasks: 

• Specify image category as either System software or Agent 
Software (Agent software lists software components other than 
the SA8220 system image that may be installed on the unit, such 
as the HP Multi-Site Traffic Director Server Appliance SA9200 
agent). 

• View the list of currently installed system software images (the 
SA8220 can have up to five system images installed). 

• View the list of currently installed agent software images (the 
SA8220 can have up to four agents installed in addition to those 
accompanying each system software image). 

• Specify which of the installed software images is to be active. 

• Install or update software images. 

• Delete software images. 

• Enable or disable Passive FTP 

• FTP or TFTP new Multi-Site Agents to the SA8220. 
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U File Edit View Navigation Lists Mail News Prelerences Window Help 

s i * ffi ^ i 




X □ 1 | http://10.L2. 166:1095/ 




Settings Software Users Routing Security GUI CLI SNMP Multi-Site Logging 



"Software View 

!• Syste Software f" Agent Software 



System Software 



Index 



Active 



yes 



Product 



Sr_3220 



Sfl 8220 



Sfi_8220 



2.7 



Patch 



0.0 



0.0 



0.0 



Build 




Administration Screen — Software Tab (System Software View) 



System Software 

The SA8220 provides sufficient local storage for five software 
images (though at any time, only one image is active and executing.) 
The "System Software" area of the Software tab displays the list of 
currently installed system images, including the following details for 
each: 



• Image index number 

• "Active" status (yes/no) 

• Product name 
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• Product version number 

• Patch number 

• Build number 

Agent Software 

The SA8220 can interface with other HP units by using Agent 
Software images. The SA8220 provides sufficient local storage for 
at least five Agent software images (though at any time, only one 
image is enabled). To display the "Agent Software" area of the 
Software tab, click Agent Software, which displays the list of 
currently installed Multi-Site Director Agent images, as shown 
below. 
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1 1 1 26 AM 
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Settings Software | Users | Routing | Security| SUl| CLl| SNMp| Multi-Site | Logaing | 



Software View 



r~ System Software P AgentSoftware 



Index 


Active 


Version 


Patch 


Build 


For Broker 


1 


yes 


2.0 


0 0 


425 


2 3 


2 


no 


2.0 


0.0 


400 


2.3 


3 


no 


2.0 


0.55 


36 


2.3 





Update Software 

URL: 

Key: 

User: 

Password 

p Passive FTP 



Software Tab in Agent Software View 
Details displayed for each Agent include: 

• Image index number 

• "Active" status (yes/no) 
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• Product version number 

• Patch number 

• Build number 

• Compatible Multi-Site Traffic Director version number 
Specifying the Active System Software Image 

To change the active system image: 

1. Click System Software. 

2. In the System Software box, click the image you want to activate. 

3. Click Boot. The SA8220 displays a message prompting you to 
proceed but warning you that the SA8220 will reboot as shown 
below. 



NOTE: You can also 
perform a soft reboot of 
the SA8220 by selecting 
the currently active 
software image and 
clicking Boot. 



Warning: this will cause the back end system to be reboot... 
^■t and the administration application will need to be restarted. 
Proceed anyway? 



jWarning: Applet Window 



Boot Warning Window 

4. Click Yes. 

As the SA8220 reboots, the screen shown below displays. 



The system is shutting down. 
Please close your browser window. 



Reboot Screen 

You must close all browser windows to ensure your browser uses 
the newly activated Administration Application. 

5. Wait three to five minutes for the SA8220 to finish rebooting, 
and then run the administration application. 

6. Go to the Software tab of the Administration screen and verify 
that the "Active" column of the selected image displays yes. 
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Installing Software Images 

You can download and install new system and agent software images 
for the SA8220 using the controls in the Update Software box at the 
bottom of the Software tab. 



NOTE: A key is not 
required to obtain Agent 
Software. 



"Update Software" 

URL: 

Key: 

User: 

Password: 
p Passive FTP 



ftp:// 



Downloading a System Software Update 

1 . To download the new image, contact HP Customer Support or 
your System Administrator to obtain the URL, Key, User, and 
Password information. 

For more details about software installation and updates, please 
see Software Updates and Upgrades" in Chapter 8. 

Deleting Software Images 

To delete a software image from the list of installed images: 

1. In the Software View box, click the software type to be deleted. 

2. In the Installed Software box, click the image to be deleted. 

3. Click Delete. The SA8220 prompts you to confirm that you want 
to delete the selected image, as shown below. 



3> 



Delete the selected installation? 



i Yes i I No 



|Warning: Applet Window 



Delete Image Confirmation (System View) 
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4. Click yes. 

If you selected Agent Software, the prompt shown below 
displays. 




|Warning: Applet Window 



Delete Image Confirmation (Agent View) 

5. Click Yes. 
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Users Tab 



The Users tab contains controls and displays allowing you to perform 
the following tasks: 

Add users 

Modify user permissions and passwords 
Delete users 

View the user names and permissions of all authorized users 

View the user names and permissions of all users currently 
logged on 

Promote your permissions level 
Log off all other users currently logged on. 
The Administration Screen's Users tab is shown below. 
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Settings | Software Users | Routing | Securit/| GUI | CLl| SNMp| Multi-Site] Logging | 
"Add /Delete Users" 



^J| ifiB^ jj 



User Name 
Password: 



r 

Confirm Password: |~ 



User Permissions 



(• Read-only C" Read-write <~ Read-write-all 



Name 


Permissions 


admin 


admin 


fred 


rw 


sam 


ro 





Login: 
Time: 



Type: 



|arJmin 


Login 


I Permissions 


Type 


Time 


(Sun Dec 1 9 1 1:57:43 1 999 


admin 


| rwa 


GUI 


Sun Dec 19 ... 


|ReadiWrite/AII 










|GUI 












Administration Screen 
List of All Users 



Users Tab 



The right hand side of the Users tab's Add/Delete Users box contains 
a list of all users allowed to log on to the SA8220. 
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Adding Users 
To add a user: 

1. In the User Name field, type the new user's User Name. 

2. In the Password field, type the new user's password. 

3. In the Confirm Password field, re-enter the password. 

4. In the User Permissions box, select the appropriate permission 
level: Read-only, Read-write, Read-write-all. Users with Read- 
write-all permissions can add, modify, and delete other user 
logon entries. 

5. Click Add. 

6. Verify that the new user's name and permission level displays in 
the "All User" list. 

Editing User Profiles 

To modify existing users' permissions and passwords: 

1 . In the All Users List at the upper right sector of the tab, click the 
user you want to modify. 

2. If you are changing the password, type the new password in the 
Password field, and then retype it in the Confirm Password field. 

3. Click Change. 

4. If you are changing the user's permissions, click the appropriate 
button in the User Permissions box. 

5. Click Change. 
Deleting Users 
To delete a user: 

1 . In the User List, click the user you want to delete. 

2. Below the list, click Delete. 

3. Verify that the deleted user's name no longer displays in the list. 
Current User's Information 

The left-hand side of the "Current Logon" box at the bottom of the 
Users tab displays the name and permissions of the user currently 
logged on to this session. The log on time and date also display in this 
area of the tab. 
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Demotion and Promotion of Your Permissions 



NOTE: Use Promote 

with care. If you promote 
your permissions, be 
aware that conflicts may 
arise among multiple 
users who have Read- 
Write-All permission. For 
example, administrative 
changes you make may be 
overwritten by another 
user. 



NOTE: {/je Logoff All 
Users with care, as it can 
leave the system in an 
ambiguous state. For 
example, if a user is in the 
process of performing a 
Restore operation, and 
another user logs them off 
before the Restore 
completes, the system is 
left in an unknown state. 



If a user with Read-Write or Read-Write- All permission logs on 
while another user with Read- Write or Read-Write- All permission is 
logged on, the SA8220 "demotes" the later user's permissions to 
Read-only. A message displays informing the demoted user of the 
fact, as shown below. 



Message 



El 



is 



Authorization level set to Read-Only. 



A user with write permission is already logged on. 



arning: Applet Window 



Demoted Notification 

The demoted Read- Write- All user can restore his or her original 
permission level by clicking Promote in the User tab. This button is 
located in the Current Logon box at the tab's lower left. 

List of Logged-On Users 

The right hand side of the "Current Logon" box at the bottom of the 
Users tab displays a list of all currently logged on users, their log on 
times, their permissions, and their log on method (either the 
Command Line Interface or the GUI). 

Logoff All Other Users 

Users with Read- Write- All permission can click Logoff All Users at 
the Users tab's lower right to end the sessions of all other users 
currently logged on. This logs off all other administrative users from 
the S A8220. Users logged on using the GUI who are logged off in this 
manner will see the message shown below in their browser window. 



Another user has logged you off the system. 
Please close your browser window. 



Logoff by Another User 
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Routing Tab 



The Administration screen's Routing tab (shown below) contains 
controls that allow you to manage the following: 

• System Role 

• Active Routing Protocol 

• OSPF Protocol 

• RIP Protocol 
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|11.57AM 


>5 □ 1 |http:<710.1. 2.10:1035V 
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Settings | Software] Users Routing | Security| GUI | CLl| SNMp] Multi-Site] Logging | 
System Role — 

f Primary C Backup (• Standalone (VIPs use ethernet interface ) 



Active Routing Protocol- 
OSPF C RIP 



OSPF Protocol - 
Area ('backbone 1 or#): 
Hello Interval (s): 
Router Dead Interval (s): 
Authentication Type: 
Authentication Key: 
Confirm Authentication Key: 
Key ID: 



[backbone" 



RIP Protocol — 

C RIP Version 1 P RIP Version 2 



Administration Screen's Routing Tab 
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System Role 

The choice of System Role (or simply "role") depends in part on your 
network's topology and on the number of S A8220s installed. A single 
SA8220's role must be "Standalone." If two SA8220s are employed, 
and you intend to use serial cable failover you must designate both 
SA8220s as "standalone." If two SA8220s are employed, and you 
intend to use Router Failover, one must be designated as the 
"Primary" and the other as the "Backup." In such cases, the primary 
SA8220 accepts all client requests and routes them according to its 
configuration while the backup SA8220 monitors the primary and 
comes online if the primary fails. 

The system roles are defined below. 



Failover Method 


System Role 
for SA8220 
#1 


System Role 
for SA8220 
#2 


N/A (Single SA8220 
Installation) 


Standalone 


N/A 


Router Failover 


Primary 


Backup 


Serial Cable Failover 


Standalone 


Standalone 


Disabled 


Standalone 


Standalone 



To select the SA8220's System Role: 

1. In the System Role box, click the appropriate button. 



Active Routing Protocol 

The SA8220 needs to know what your network's active routing 
protocol is (either OSPF or RIP). 

1 . In the Active Routing Protocol box, click the appropriate radio 
button. 

RIP Protocol 

If your network's active routing protocol is RIP, click the appropriate 
button in the RIP Protocol box to specify the applicable RIP version. 
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OSPF Protocol 

The Router tab's OSPF Protocol box includes controls that allow you 
to specify the following values: 

• OSPF Area: This value must be set to the same OSPF area as the 
ingress router to which the SA8220 is talking. This can be the 
keyword "backbone," an integer, or dotted decimal format 
(xxx.xxx.xxx.xxx). The integer range is from 0 to 
2,147,483,647, and the default is not active. 

• Hello Interval: The number of seconds between hello packets 
sent on this interface. This value must match the hello interval of 
the ingress router. The valid range is from 1 to 65,535, and the 
default is 10. 

Router Dead Interval: The number of seconds the S A8220's 
OSPF neighbors should wait before assuming this OSPF SA8220 
is down. This value must match the router dead interval of the 
ingress router. The valid range is from 1 to 2,147,483,647, and 
the default is 40. 

Authentication type and key are security mechanisms to 
guarantee that routing information is exchanged only with trusted 
routers. The type and key together comprise the "authentication 
scheme." An OSPF Area can have only one OSPF 
Authentication scheme. 

• Authentication Type: Allows you to specify the type of OSPF 
authentication. To Disable OSPF authentication, click None. To 
enable Simple password authentication, click Simple and then 
proceed to the Authentication Key field. To enable MD5 
authentication, click MD5, then enter an authentication key and 
key id. 

• Authentication Key: A user-specified string (excluding double 
quotes and spaces) used as an authentication password. The 
authentication key is from 1 to 8 characters for Simple 
authentication, and 1 to 16 characters for MD5 authentication. 

• Confirm Authentication Key: Re-enter the Authentication Key to 
verify it to the SA8220. 

• Key ID: MD5 key id, an integer from 1 to 255. MD5 
authentication provides a stronger level of security for OSPF 
users. 
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NOTE: Unless the 

config route 
protocol command is 
set to ospf, OSPF 
protocol is not active. 
For more information, 
please see Chapter 5. 



NOTE: The Router Dead 
value must beat least four 
times the Hello interval. 



NOTE: Both sides of the 
OSPF connection must 
use the same 
authentication type and 
key and key ID if 
applicable. 
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Security Tab 



The security screen (shown below) allows you to implement IP 
Packet Forwarding (IPFW) security policies. Three modes are 
available: 

• Closed 

• Open 

• Custom 
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Filtering Mode 

C Closed f« Open H Custom 



C Allow Any C Allow List 
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Access 
R CLI (sslr) 
R CLI (telnet) 
|7 GUI 
W SNMP 

F Multi-Site Agent 
[7 IP Forwarding 




Administration Screen 's Security Tab 

Closed mode disables all remote administration capabilities. Open 
mode enables all remote administration capabilities, SA9200 agent 
traffic, and IP Forwarding. Custom mode allows you to specify 
filtering of traffic based on traffic port and source IP address. 



95 



CHAPTER 4 



HP Traffic Director Server Appliances User Guide 



Source IP Filtering 

The controls in the Security Tab's Source IP dialog box allow you to 
filter administration access by source IP address. This dialog box 
contains a pair of buttons and combo box. To allow any IP address 
to perform administrative tasks, click Allow Any. To filter by source 
IP, click Allow List and type the IP addresses and/or subnets allowed 
administrative access into the IP Addresses/Subnets list. Subnets are 
specified in "slash" notation (such as 209.218.0.0/16). Click the 
check icon to add the contents of the text field into the list. You can 
delete an item from the list by clicking the item to delete and clicking 
the "X" icon. 

Access Options 

When the Custom security mode is enabled, you can choose among 
the access options in the Access security box. To enable an option, 
select the corresponding check box and verify that a check mark 
displays. To disable, click again to clear the check mark. Available 
options are listed below: 

• CLI (SSH) Enable "Secure Shell," that is, secure access to the 
unit's Command Line Interface. Secure Shell operates like an 
ordinary telnet session, but adds encryption. 

• CLI (telnet) Enable standard unencrypted telnet access to the 
unit's Command Line Interface. 

• GUI Enable administration using the unit's Graphical User 
Interface. 

• SNMP Enable administration of the unit using SNMP (Simple 
Network Management Protocol). 

• SA9200 Multi-Site Traffic Director Server Appliance. Permit or 
deny traffic to the SA9200 port. 

• IP Forwarding. Permit or deny traffic to specific servers. IP 
forwarding allows administrative access to servers at their real IP 
addresses via the SA8220. For more details, please see "Routing 
with Dual Interfaces" in Chapter 2. 
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GUI Tab 



The GUI tab (shown below) includes controls that allow you to 
configure the following aspects of the SA8220's Graphical User 
Interface (GUI): 

• Server port on which the GUI is accessible from the browser 

• Response Timeout Value 

• Choice of result from double-clicking the SA8220 icon in the 
Topology Screen 

• Choice of result from double-clicking the Server icon in the 
Topology Screen 
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NOTE: After changing 
this setting your browser 
disconnects. You must 
restart your browser and 
connect it to the new port 
to resume using the 
administration 
application. 
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□ H http:<710.1. 2.10:1035V 




Settings | Software | Users] Routing] Security GUI j CLI | SNMp| Multi-Site | Logging | 
GUI Settings 



Admin HTTP Server Port: 


1095 


System response timeout (sec): 


3D 


Double-click on System topology icon displays: 


Policy Manager 


H 


Double-click on Server topology icon displays: 


Statistics 





Administration Screen 's GUI Tab 

Admin HTTP Server Port: Edit this field to designate the port on 
which the SA8220's GUI application listens. To change this 
value, type the desired port number and click Apply. Valid ports 
are any unused port between 1 and 65535. The default is port 
1095. 
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• The Broker Response timeout (sec): This field allows you to 
specify, in seconds, the time the GUI will wait for a response 
from the SA8220 before timing out. This value must be an 
integer between 0 and 120. A value of 0 disables timeout. The 
default value is 30. 

• The Double-click Broker topology icon displays: The drop down 
menu allows you to specify the destination within the GUI after 
double-clicking a SA8220 icon in the topology screen. 

• The Double-click Server topology icon displays: The drop down 
menu allows you to specify the destination within the GUI after 
double-clicking a Server icon in the topology screen. 
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CLI Tab 



The CLI tab (shown below) includes controls that allow you to 
configure the following aspects of the SA8220's Command Line 
Interface: 

SSH Port 

Telnet Port 

Telnet Sessions 

Timeout 

Prompt 

Login Attempts 

Enable "more" for screen paging 
Lines per screen 
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Administration Screen 's CLI Tab 
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• The CLI (SSH) Port field specifies the secure telnet port on 
which the CLI runs. Valid ports are port 22 (the default) or any 
unused port between 1024 and 65535. 

• The CLI (telnet) Port field allows you to specify the standard 
(unencrypted) telnet port on which the CLI runs. Valid ports are 
port 23 or any port between 1024 and 65535. The default is port 
23. 

• The Telnet Sessions field allows you to specify the maximum 
number of concurrent inbound remote CLI logon sessions 
allowed. This value must be an integer between 1 and 8. The 
default is 3. 

• Use the Timeout field to set or change the idle timeout period 
before automatic logoff for CLI sessions. This feature is disabled 
by setting the timeout value to "0." This timeout period is 
expressed in seconds (0, or 30 to 65535). The default is 900 
seconds (15 minutes). 

• Use the Prompt field to set or change the root level prompt. The 
default prompt is an abbreviation of the product's name, for 
example: "HP SA8220." 

• The Login Attempts field allows you to specify the maximum 
allowable number of failed login attempts before closing the 
connection. The valid range is from 1 to 30. 

• Use 'more' for screen paging. When this box is not checked, the 
CLI outputs a continuous scrolling display. When the box is 
checked, the CLI scrolls one page at time. 

• When more is selected, the Lines per screen field becomes 
available. Use this field to specify the number of lines more 
displays at a time. 

1. Click Apply. 
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SNMP Tab 



The SNMP tab (shown below) includes controls for the SA8220's 
Simple Network Management Protocol (SNMP) agent. 



iimiMMiMTiMiMinffliamnni 





Community 


'P Address 






private 


any 


rw 




public 


any 


ro 


- 



























Trap Receivers 




IP Address 
































* 



Administration Screen 's SNMP Tab 



NOTE: Ensure that the 
SA8220's IP Filtering 
security mechanism 
allows IP access to 
SNMP, otherwise SNMP 
requests will not pass 
through the filter. 



SNMP Agent 

The SNMP agent allows network management applications to 
monitor and retrieve the SA8220's status and statistics via SNMP. 

The SNMP Agent Start check box allows you to enable or disable the 
SA8220's SNMP agent. The default is Enabled. 

• The SNMP Port: field allows you to specify the port on which the 
SA8220 receives SNMP requests. Allowable port numbers are 
any unused ports 5020 through 65535 or 161 (the default). 

• Use the Trap Port: field to specify the port on which the SA8220 
sends SNMP traps. Allowable port numbers are any unused ports 
5020 through 65535, or 162 (the default). 

• System Location: corresponds to the MIB variable sysLocation 
in MIB -II. System Location (sysLocation) is the physical 
location of this SA8220. By default, sysLocation is NULL. 
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• System Contact: corresponds to the MIB variable sysContact in 
MIB-II. System Contact (sysContact) is the name of the 
administrator of this SA8220. By default, sysContact is NULL. 

• System Name: corresponds to the MIB variable sysName in 
MIB-II. System Name (sysName) is the name of this SA8220. 
By default, sysName is the hostname of the SA8220. 

The Community Strings box contains community strings accepted by 
the SA8220 on incoming SNMP requests. Up to ten community 
strings can be configured for use by the SA8220. Each community 
string can have read-only (ro) or read-write (rw) privilege, and can be 
configured for use by a specific IP address or all IP addresses. When 
the value "any" is used for <ip address>, the community string can be 
used by all IP addresses. 

For example, the string: 

community=test ip=2 0 9 . 2 1 8 . 2 4 0 . 5 rights=ro 

creates the community string test with read-only privilege. SNMP 
read-only requests using community string test are accepted only 
from IP address 209.218.240.5. 

By default, the following community strings are defined: 

public ro "any" 
private rw "any" 

The Trap Receivers box contains the IP addresses to which the 
SA8220 will send traps. The SA8220 SNMP can send trap 
notifications to up to ten configured trap receivers. Each IP address 
configured as a trap receiver is associated with a community string, 
which is included in traps sent to that IP address. 
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For example, the string: 

ip=209 . 218 . 240 . 5 community=NOCl 

causes traps to be sent to IP address 209.218.240.5, and causes the 
SA8220 SNMP agent to put the community string, NOC1 in the trap 
sent to that address. 



Multi-Site Tab 



This tab contains controls for setting the port that communicates with 
the HP Multi-Site Traffic Director Server Appliance SA9200. 
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Settings | Software| Users| Routing | Security| GUI | CLl| SNMP Multi-Site | Loggir 
Multi-Site Agent Settings 



Agent Port: 



|1999 



Administration Screen Multi-Site Tab 
To specify the Multi-Site Agent's port: 

1 . In the Agent Port field, type that port number. Valid range is 
from 1 to 65535, and 1999 is the default. We recommend using 
ports 1024 and higher. 

2. Click Apply. 
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LOCj CJ i CI Cj T3 b The Logging tab includes controls that allow you to specify (or filter) 

the kinds of information written to the SA8220's log file. This file 
records operational events for troubleshooting information. You can 
enable or disable the logging of specific types of information, and 
specify the log file size. 




Specifying System Log Parameters 

The following log levels are available: 

1. In the System Log Levels box, select the check boxes for those 
types of system information you want the log file to reflect. To 
record all available information types, click Select All. 

2. In the System Log File box, type the size of the log file. Valid 
range is from 1,024 to 600,000 bytes, and 600,000 is the default. 

3. Click Apply. 
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Viewing the Log File 

1 . To view the log file, click View Log. 

The System Log File displays, as shown below. 



System Log File 



Actions 

I Dec 20 I 10:46:47 I L0G_DBG[0x0008] I nsb-13 I perl5[261] I 

040001 I AF: AF: Not an AF-handled function call... msg_log_print fo: I 

Dec 20 I 10:46:47 I L0G_DBG[0x0008] I nsb-13 I perl5[261] I 

040001 I AF: AF: Function Call Message from 10730 5 

Dec 20 I 10:46:47 I L0G_DBC-[ 0x0008] I nsb-13 I perl5[261] I 

040001 I AF: AF: Receiving message from FEIQ 

Dec 20 I 10:46:45 I L0G_TRACE[ 0x0002] I nsb-13 I rich_stat_mon[ 279 ] 

022002 I main() RICH_STAT_M0IJ: OK ready to read data . 

Dec 20 I 10:46:45 I L0G_TRACE[ 0x0002] I nsb-13 I rich_stat_mon[ 279 ] 

022002 I main() RICH_STAT_M0IJ: OK data read from rich_app queue secom 

Dec 20 I 10:46:43 I L0G_TRACE[ 0x0002] I nsb-13 I rich_stat_mon[279] 

022002 I main() RICH_STAT_K0IJ: OK ready to read data . 

Dec 20 I 10:46:43 I L0G_TRACE[ 0x0002] I nsb-13 I rich_stat_mon[ 279 ] 

022002 I main() RICH_STAT_K0H: OK data read from rich_app queue secom 



10:46:41 I L0G_TRACE[ 0x0002] I nsb-13 I rich_stat_mon[ 279 ] gjj 

^ ' r " >n 




Logging Tab's File Contents Window 
The File Contents window's Actions menu contains two items: 

• Filter 

• Mail To... 
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p| Log File Filtei 




Indicate Message Filter 




W General W Statistic 


|7 Warning 


p Trace p Security 


F Error] 


W Audit 




p Debug 




(Apply} (cancel) 


jWarning: Applet Window 



Log File Filter Window 

The Filter dialog box (shown above) allows you to filter the view of 
the log displayed in the File Contents window. 

1 . Select or clear the appropriate check boxes to specify the types or 
categories of messages you want to display. 

2. Click Apply, or Cancel to abort. 




Log Mail To Window 

The Mail To dialog box (shown above) allows you to email the 
contents of the log file. 

1 . In the Address field, type the email address to which you want to 
send the log file. 
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2. In the Mail Host field, type the name or IP address of your 
network's outgoing mail (SMTP) server. 

3. Click OK, or Cancel to abort. 



Configuration Screen 



The Configuration screen (shown below) includes controls that allow 
you to save, restore, send, and receive SA8220 configuration 
information in individual ASCII files. You can save configuration 
files on the SA8220 and send them to a remote TFTP server or 
retrieve them. The Configuration screen also has a provision for 
restoring the factory default configuration. 
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ZEE 



File Edit View Navigation Lists Mail News Piefere 

il + a ^ ffi r 



X n i |http://chad:1095/ 



"Configuration 



Configuration Name: |default.cfg 



Saved Configurations 



Send i Retrieve Configuration 



F Get r Put 



tftp Host: 
Remote File: 




File Name 






simple. cfg 


49 




stateofctl .cfg 


14 




fjte;i!0fct2.cfg 


14 




stats afct3. cfg 


15 




surfenl .cfg 


30 


: 


surfen2.cfg 


24 




surfen3.cfg 


30 




tern p-99. cfg 


51 




lernp cfg 


42 





■ . ,r .1 

conf ig 
conf ig 
conf ig 
conf ig 
conf ig 
conf ig 
conf ig 
conf ig 
conf ig 
conf ig 



sys sea 
sys se 
sys se; 
j*V ; r-j: 
sys se: 
sys se^ 
sys se' 
cli te 
cli pr: 
cli lo: 
cli mo 



^curity custom forwarding i* 
:curity custom ssh enable 
:cuiity custom telnet disai 
:curity custom gui disable 
:curity custom snmp disable 
icurity custom sa9200-agent 
:curity mode open 
?lne-t-sessions 2 
:ompt SP8220 
' gin- attempts 3 
<re disable 



[ cli screenlines 25 

:. sys id SRS220 

: cli timeout. 900 

! cli port 23 

! cli ssh-port 22 

: sys snmp stop 

■ sys snmp auto-topology disable 

! sys snmp port 161 

[ sys snmp sysContact " " 

I sys snmp sysName " " 

! sys snmp sysLocation " " 

i sys snmp trap port 162 

I sys snmp trap deleteall 

i sys snmp community deleteall 

! sys snmp community create privatj 

: svs snmn community create nubile, 



Configuration Screen 
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Saving 

Configuration 
Files 



To save the SA8220's current configuration to a file: 

1 . In the Configuration Name field, type a filename. 

Valid characters include letters, digits, (-), (_), and (.). File 
names cannot begin with the (.) character. 

2. Click Save. 

3. Verify that the new file's name displays in the Saved 
Configurations list. 



Restoring 

Configuration 

Files 



NOTE: Username 
commands are not valid 
in configuration files. 
The save config and 
restore config operations 
do not include username 
data. Use the 
Administration Screen 's 
Users Tab to specify 
users. 



To restore a configuration file: 

1. In the Saved Configurations list, click the name of the file you 
wish to restore. 

2. Click Restore. A message displays prompting you to confirm the 
operation, as shown below. 



(**}\ Warning: This operation could take several minutes or longer, 

depending upon the size and complexity of the current configuration 
and the configuration being restored. 
Proceed with configuration restore? 



Yes i 



No 



jWarning: Applet Window 



Restore Confirmation Window 
3. To finish the restore operation, click Yes, or No to abort. 
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Deleting 

Configuration 

Files 



To delete a configuration file: 

1. In the Saved Configurations list, click the name of the file you 
want to delete. 

2. Click Delete. A message displays prompting you to confirm the 
operation, as shown below. 



(?) D 



elete the selected configuration? 
No I 



Yes 



fvVarning: Applet Window 



Delete Confirmation Window 
3. To delete the file, click Yes, or No to abort. 



Copying 

Configuration 

Files 



To copy an existing configuration file under a new name: 

1. In the Saved Configurations list, click the name of the file you 
wish to copy. 

2. Click Copy. A message displays prompting you to provide a file 
name, as shown below. 



Please input new filename 



OK 



Cancel 



jWarning: Applet Window 



Copy New Filename Window 

Valid characters are letters, digits, (-), (_), and (.). File names 
cannot begin with the (.) character. 

3. To complete the operation, click OK, or Cancel to abort. 
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Viewing 

Configuration 

Files 



To prevent certificates and keys from being displayed or transmitted 
as plain text across the network, the GUI View Configuration File 
function has been disabled on the SA8200/SA8220. This function is 
still available on the SA7200/SA7220. 

1. In the Saved Configurations list, click the name of the file whose 
contents you want to view. 

2. On the SA8200/SA8220: Click View». The right hand panel 
of the Configuration screen displays the message below, as 
shown below. 

The View operation is not permitted on this 
device for security reasons. Please use the CLI 
to view configuration files. 
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Configuration Name: |default.cfg 



Saved Configurations 



The View operation is not permitted on th: 
Please use the CLI to vieu configuration : 



File Name 


Lines 




surfenl cfg 


3D 


surfen2.cfg 


24 


surfen3.cfg 


30 


temp-99 cfg 


51 


temp. cfg 


42 


test 


18 


test.cfg 


518 


test2.cfg 


518 


ugo-defaultcfg 


21 





OS 



Send / Retrieve Configuration 
ft Get r Put 
fflp Host: 




nr 



Configuration File View (disabled on the SA8200/SA8220) 
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1. On the SA7200/SA7220: Click View». The right hand panel 
of the Configuration screen displays the contents of the selected 
file, as shown below. 
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Configuration 
Configuration Name 



Send / Retrieve Configuration 
Get C Put 



rftp Host: 
Remote File: 




■ sys security custom, acl clearacl 
sys security custom access-contr: 
sys security custom forwarding q 
sys security custom ssh disable 
sys security custom telnet enabl 
sys security custom gui ensile 
sys security custom snmp disable 
sys security custom ms-agent dis: 
sys security custom acl add lp 1, 
sys security mode open 
irv ping- interval 5 

start: multi-site configura 

sys msd port 1999 

end: multi-site configura 

start: gui configuration -- 

gui response-timeout 30 

gui broker-action 0 

gui server-action 1 

end: gui configuration -- 

cli telnet- sessions 3 

cli prompt CD8000 

cli login-attempts 3 

■ cli more disable 

config cli screenlines 25 

config sys id CD8000 

config cli timeout 900 



Configuration File View on the SA7200/SA7220 

2. If the file is too large to fit entirely in the window, as shown 
above, use the scroll bars to navigate through the file. 

3. Click View» again to close the file contents display. 
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Resetting the 

Factory 

Configuration 



This command allows you to reset the SA8220 to its original factory 
configuration. Reset deletes all policy groups, services, and servers. 

Original factory settings are listed below. 



Type 


Parameter 


Default Setting 


Route 


Role 


Standalone 




Protocol 


None 




OSPF-area 


Backbone 




Hello interval 


10 seconds 




Dead interval 


40 seconds 




RIP version 


2.0 


Static routes 


static_route 


None 


RICH Bias 

(all models except the 
SA7200) 


rich_bias 


Enabled 


HTTPS Redirect 
(SA8200/SA8220 only) 


Redirect 


None 


CLI 


CLI SSH-port 


22 




CLI port 


23 




Prompt 


Product name 




Maximum telnet sessions 


3 




Scrolling 


Disabled 




Idle timeout 


900 seconds 




Maximum login attempts 


3 


SNMP 


sysContact 


NULL 




sysName 


Host name of the unit 




sysLocation 


NULL 
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Type 


Parameter 


Default Setting 


GUI 


broker-action 


0 (Policy Manager) 




server- action 


1 (Statistics) 


Security 


acl 


Cleared 




custom access-control 


Disabled 




custom forwarding 


Disabled 




custom ssh 


Enabled 




custom telnet 


Disabled 




custom gui 


Disabled 




custom snmp 


Disabled 




security mode 


Closed 



To restore the factory default configuration: 
1. Click Reset. 

A message displays prompting you to confirm the operation, as 
shown below. 



i ^ \ Warning: This operation could take several minutes or longer, 

depending upon the size and complexity of the current configuration. 
Proceed with configuration reset? 



Yes ! 



No 



|Warning: Applet Window 



Reset Confirmation Window 
2. To confirm the operation, click Yes, or No to abort. 
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Sending and 
Retrieving 
Configuration 
Files 



By default, configuration files are saved on the SA8220 itself. You 
can also send them to and retrieve them from remote TFTP servers. 

To send a configuration file to a remote TFTP server: 

1. In the Saved Configurations list, click the name of the file you 
want to send. 

2. In the Send/Receive Configuration box, click Put. 

3. In the tftp Host field, type the name of the host where you will 
send the file. 

4. Optional: In the Remote Directory field, type the directory of 
the remote host where you want to save the file. 

5. Click Transfer. 

To retrieve a configuration file from a remote TFTP server: 

1. In the Send/Receive Configuration box, click Get. 

2. In the tftp Host field, type the name of the host where you will 
retrieve the file. 

3. In the Remote File field, type the name of the file you want to 
retrieve. 



4. Click Transfer. 
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Tools Screen 

The SA8220's Tools screen (shown below) provides network 
diagnostic tools for your convenience: 

• ARP 

• Ether 

• Ping 

• Netstat 

• Nslookup 

• Reboot 

• Trace 

• Traceroute 



ma 




Tools Screen 
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ARP 



This command displays the SA8220's ARP table. To use the 
command: 

1 . From the Command menu, click arp. 

2. Click Run. 

3. After a few seconds, the ARP information displays in the Results 
window, as shown below. 





U Eie Edit V,™ Navigation L, sl! Mail N™ s B efe,enc« Wind™ Help Jfljxj 










^ 1m? "Tl [i5:J Command complete 


|04:32 PM 








at □ r 


1 http://10. 1,2, 166:1095/ 


jJIBSHjJ 




77ie Took Screen Displaying ARP Results 
4. To clear the Results window, click Clear. 
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Ether 



This command displays the Ethernet interface values. To use the 
command: 

1 . From the Command menu, click ether. 

2. Click Run. 

3. The Ethernet interface information displays in the Results 
window, as shown below. 
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Command: ether 



"3 



Parameters: |1 0.1. 2.71 



Results 



expO: flags-SSSS^P^EROADCAST^OITULlLERS^RUmJING^inPLEX^LTICAS - ^ 
link type eth.eE 0: aO : c9: ed: 76: 3e mtu 1500 speed 100Mbps 
media auto [lOObaseTX) status active 

inet 10.1.2.10 netmask 255.255.0.0 broadcast 10.1.255.255 
expl: f lags =8822<BR0AD CAST, NOTRAILERS, S IMPLEX, HLTLTICAST> 

link type etheE 0: 90 : 27: 62 : 3a: 45 mtu 1500 speed 10Mbps 
media auto (lObaseT) status no-carrier 



Tools Screen Displaying Ether Results 
4. To clear the Results window, click Clear. 



117 



CHAPTER 4 



HP Traffic Director Server Appliances User Guide 



Ping 



The Ping command tests the network connection to another 
networking device by sending five ICMP packets from the SA8220 
to the target device, which if it receives them, sends a reply. When the 
SA8220 receives the reply, it displays a message reflecting the 
response time from the target device. If the S A8220 receives no reply, 
it displays a message indicating that the target device is not 
responding. 

To "ping" a network device: 

1 . From the Command menu, click ping. 

2. In the Parameters field, type the host name or IP address of the 
target device. 

3. Click Run. 

After a few seconds, the Ping information displays in the Results 
window, as shown below. 
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Command: |ping 



"3 



Parameters: |1 0.1. 2.71 



Results 
Ipihg 10. 



1.2.71 (10.1.2.71): 56 data bytes 



64 bytes from 10.1.2.71: 
64 bytes from 10.1.2.71: 
64 bytes from 10.1.2.71: 
64 bytes from 10.1.2.71: 
64 bytes from 10.1.2.71: 
10.1.2.71 ping statistics 

5 packets transmitted, 5 packets received, 0% packet loss 

round-trip min/avg/max = 1.098/1.105/1.117 ms 

Done 



icmp_seq=0 ttl=254 time=1.117 ms 
icmp_seq=l ttl=254 time=1.099 ms 
icmp_seq=2 ttl=254 time=1.098 ms 
icmp_seq=3 ttl=254 time=1.104 ms 
icmp_seq=4 ttl=254 time=1.109 ms 



The Tools Screen Displaying Ping Results 
4. To clear the Results window, click Clear. 
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N6tSt3t The Netstat command displays the SA8220's routing tables. To run 

Netstat: 

1 . From the Command menu, click netstat. 

2. (Optional) In the Parameter field, type any parameter from these 
options/variables: 

• -I <interface> Can be expO or expl for dual-homed device 

• -n Do not try to use DNS to resolve IP addresses 

• -p <protocol> Where <protocol> can be either "ip", "icmp", 
"igmp", "top", or "udp" 

Forms of the netstat command include: 

• No switches displays active network connections 

• -r displays the device's forwarding table 

• -rs displays the device's forwarding table statistics 

• -s displays protocol statistics 

• -i displays interface configuration information 

• -is displays interface statistics 

3. Click Run. 

After a few seconds, the routing tables display in the Results 
window, as shown below. 
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Command: hetstat 



"3 



j^JliliMjJ 



Routing tables 












Internet: 












Destination 


Gateway 


Flags 


MTU 


If 


default 


ID. 1. 1. 1 


UGS 


1500 


expO 


10.1/16 


linfe#l 


UC 


1500 


expO 


10.1.1.2 


0 


a0:c9:fc:85:9b 


UHLc 


1500 


expO 


10.1.1.10 


0 


a0:c9:fc:85:9b 


UHLc 


1500 


expO 


10.1.2.10 


0 


a0:c9:ed:76:3e 


UHLc 


1500 


loO 


10.1.2.16 


0 


e0:16:72:39:81 


UHLc 


1500 


expO 


10.1.2.52 


0 


10:5a: ab:e9:20 


UHLc 


1500 


expO 


10.1.2.58 


0 


0:81:c6:f7:81 


UHLc 


1500 


expO 


10.1.2.71 


0 


0: 81: cc: da: 82 


UHLc 


1500 


expO 


10.1.10.205 


0 


50:da:2d:91:60 


UHLc 


1500 


expO 


127 


127.0.0.1 


UGRS 


4352 


loO 


127.0.0.1 


127.0.0.1 


UH 


4352 


loO 


224/8 


link#l 


UC 


1500 


expO 



Tools Screen Displaying Netstat Results 
4. To clear the Results window, click Clear. 
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Nslookup 



The nslookup command identifies the IP address of a given host, or 
the host name of a given IP address. You can use this tool to 
determine whether the S A8220 can resolve a host name or address, or 
to get the IP address of a machine of which you know only the host 
name. To use nslookup: 

1. From the Command menu, click nslookup. 

2. In the Parameters field, type the host name or IP address of the 
target device. 

3. Click Run. 

After a few seconds, the nslookup information displays in the 
Results window, as shown below. 



i Opeia 3.62 - [690:594 - Admin Applet] 




Tools Screen Displaying Nslookup Results 
4. To clear the Results window, click Clear. 
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Reboot 



The Reboot command reboots the SA8220. This command requires 
no parameters, and when executed prompts for confirmation. 



(^}\ Warning: this will cause the back end system to be reboot... 
^■f and the administration application will need to be restarted. 
Proceed anyway? 



Yes 



No 



arning: Applet Window 



Reboot Confirmation 

1 . To reboot click Yes, or No to abort. 

As the SA8220 reboots, the above screen displays and prompts 
you to close your browser window. 



The system is shutting down. 
Please close your browser window. 



Reboot Notification 

2. Close all browser windows to ensure that your browser uses the 
newly activated administration application. 

3. Wait a few minutes (typically three to five) for the SA8220 to 
finish rebooting before running the administration application. 
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Trace 



NOTE: By default, 
trace will automatically 
exit after 60 seconds. If 
the GUI is configured for 
a shorter timeout, the 
trace information may 
be lost. For more details, 
please see "GUI Tab" in 
this chapter. 



The trace command captures traffic on a network that matches the 
given expression. The trace output can be helpful for 
troubleshooting network problems. 

Syntax: 

trace [ -aef nNpqStvxX] [-c <count>] 
[-i <interface>] [-s <snaplen>] [-T <type>] 
-F <file> [-P] -w <file> -H <tftp-host> 
-D <tftp-path> 

Switches enclosed in brackets [] are optional. The -w, -F, -H, and -D 
switches are required. A complete listing of the switches for the 
trace command is found in the following table. 

Example: 

The command below TFTPs my . filter from dhcp8/var/ 
tftpboot/my . filter to the SA8220, captures five packets 
(using the expressions in the my . filter file), and then writes the 
packet information to the f red . dump file. Because of the -P switch, 
the filter file is not deleted. 

trace -c 5 -w f red. dump -F my. filter -H dhcp8 
-D /var/tftpboot -P 



If the -P switch is not used, the filter file is deleted. 
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Switch 


Description 


-a 


Attempt to use the DNS to convert address to names 


-c <count> 


Exit after receiving <count> packets 


-D <tftp-path> 


The TFTP path directory information. Required parameter. 


-e 


Print the link-level header on each dump line 


-f 


Print "foreign" Internet addresses numerically, rather than 




symbolically 


-F <file> 


The filter expression tile. It this tile does not exist on the S A8220, 




it is TFTPed from the TFTP host (see the -D and -H options). 




Required parameter. 


-H <tftp-host> 


The TFTP host information. Required parameter. 


-i <interface> 


Specify an interface to capture packets from (expO or expl for 




dual-homed devices) 


-n 


Don't convert addresses to names 


-N 


Don't print domain name qualification of host names 


-D 


Change the interface to promiscuous mode (every packet is 




captured) 


-P 


Preserves the filter expression file on the SA8220 for future use, so 




that it is not TFTPed after the first use. 


-q 


Output less protocol information 


-s <snaplen> 


Capture <snaplen> (snapshot length) bytes of data from each 




packet rather than the default of 76 bytes 


-S 


Output absolute rather than relative TCP sequence numbers 


-t 


Don't output a timestamp on each dump line 


-tt 


Output an unformatted timestamp on each dump line 


-T <type> 


Force packets selected by <expression> to be interpreted as the 




specified <type> 
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Switch Description 



-V 


Slightly more verbose output 


-vv 


Even more verbose output 


-w <file> 


The trace output file. Required parameter. 


-X 


Output each packet in hex 


-X 


Output each packet in hex and ASCII 



The next table lists the <expression> primitives for the filter 
expression file (-F <file>). 

• If the filter expression file is empty, all packets on the net will be 
captured. 

• The <expression> primitives can be combined using parentheses 
and '!' or 'not', '&&' or 'and', and 'II' or 'or'. 
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Expression 


Evaluation 


dst host <host> 


True if the IP destination field of the packet is <host> 


src host <host> 


True if the IP source field of the packet is <host> 


host <host> 


True if either the IP source or destination field of the packet is 




<host> 


ether dst <ehost> 


True if the ethernet destination address is <ehost> 


ether src <ehost> 


True if the ethernet source address is <ehost> 


ether host <ehost> 


True if either the ethernet source or destination address is <ehost> 


gateway <host> 


True if the packet used <host> as a gateway 


dst net <net> 


True if the IP destination address of the packet has a network 




number of <net> 


src net <net> 


True if the IP source address of the packet has a network number 




of <net> 


net <net> 


True if the IP source or destination address of the packet has a 




network number of <net> 


net <net> mask <mask> 


True if the IP address matches <net> with the specific netmask 


net <net>/<len> 


True if the IP address matches <net> a netmask <len> bits wide 


dst port <port> 


True if the packet is IP/TCP and has a destination port value of 




<port> 


src port <port> 


True if the packet has a source port value of <port> 


port <port> 


True if either the source port value or destination port has a value 




of <port> 


ip proto <protocol> 


True if the packet is an ip packet of protocol type <protocol>, 




where <protocol> can be "ICMP" or "TCP" 


ether broadcast 


True if the packet is an ethernet broadcast packet 


ip broadcast 


True if the packet is an IP broadcast packet 
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Tools Screen 



Traceroute 



The Traceroute command displays the route that packets travel to the 
specified network device. To trace the route from the SA8220 to 
another device: 

1 . From the Command menu, click traceroute. 

2. In the Parameters field, type the host name or IP address of the 
target device. 

3. Click Run. 

After a few seconds, the Traceroute information displays in the 
Results window, as shown below. 



Opera 3.62 [690:594 Admin Applet] 



|_] File Edit View Navigation Lists Mail News Preferences Window Help 
^ ^ |cornmand complete 

X fH 1 | http://10. 1,2. 166:1095/ — 



"Tools 

Command: |lraceroute ^| 



Parameters: |1 0.1 .2.1 0 



to 10.1.2.10 (ID. 1.2. 10) from mli-lrali (10.1.2.166), 30 hops 
1 ii3b-13.abcllll.coin (10.1. 2.10) 0.270 ms 0.182 ms 0.192 ns 
Done 



mm 




40 byte pac] 



J jJ 



Tools Screen Displaying Traceroute Results 
4. To clear the Results window, click Clear. 
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Statistics Screen 

The SA8220 provides a screen where you can view four different 
statistical categories, in a variety of graphical display formats, at the 
levels of Device, Service, and Server. Statistical data series are 
defined in the main Screen, and subsequently displayed in a separate 
window. 

The four statistical categories for SA8220s are listed below: 

• Average Connections per Second 

• CPU Utilization 

• Open Connections 

• The SA8220's Uptime 

For services and servers, the available statistics are listed below: 

• Average Response Time (ms) 

• Average Connections per Second 

• Open Connections 

• Service or Server Uptime 
To display the Statistics screen: 

1 . In the Topology screen's toolbar, click the Statistics icon. 

The Statistics Screen (shown below) is divided into the four sections 
or functional areas below: 

• Statistics Box 

• Graph Options 

• Selection List 

• Window Options 

• Selection buttons (the arrows between the Statistics Box and the 
Selection List). These are for selecting statistical categories to be 
displayed. 

• Graph button to launch the graph display window. 



NOTE: Statistics for 
open connections in 
RICH mode ( on the 
SA8220 and the SA7220) 
are not available. 



Statistics 

Screen 

Controls 
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Statistics Screen 



Selection List 



Statistics Box 



Selection Buttons 
(Arrow Buttons) 



Graph Options 



, Opeia 3.60 - [690:594 - Admin Applet] 



<^ ei * -a- <^ m 



X O 1 |http:,71 0.1. 2.10:1095/ 



Statistics 
Type: [Sysfc 



"3 



Available Statistics 



V nsb-13 
G-# pgl 

EO-^ svcjt 

Q ♦ scv_h 



Average Connection: 
CPU Utilitization 
Open Connections 
System Uptime 



J J 



Graph Options 
Style: [plot 
p Legend 



"3 



1 02: 32 PM 



Window Options 

<* Single Graph pXGridlines 
C Multiple Graphs pYGridlines 




Refresh Interval (s): 5 




Maximum Data Points: 1 oo 





Graph Button Window Options 

Statistics Screen 



Statistics Box 

The Statistics box contains controls for you to select the statistics you 
want to view graphically, as well as the graph format in which you 
want those statistics displayed. 

• Type: This pull-down list allows you to specify the type of 
statistics that are available: System, Server, or Service. 

• Items: Select the specific System, Services, or Servers whose 
statistics you wish to view. You can select multiple like items 
from this list. 
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NOTE: Statistics for • Available Statistics: In this graphical display, you can specify 
open connections in which of the available statistics you want to view. These include 

RICH mode ( on the Average Response Time, Average Connections per Second, CPU 

SA8200/SA8220 and the Utilization, Open Connections, and Uptime. The available 

SA7220) are not statistics will depend on your selection from the Type pull-down 

available. list. You can select multiple items in this list. 



Graph Options 

The Graph Options box contains two controls: 

• Style: This drop down list allows you to specify the style of the 
graph used to display the selected statistics for this data series. 
Available styles are Plot, Scatter Plot, Bar, Stacking Bar, Area, 
and Stacking Area. The style selected in this list is applied to 
each statistical category at the time it is selected with the right 
arrow button as described above. 

• Legend: After the Legend check box is selected, a legend 
displays at the bottom of the Graph window for this data series. 
This legend identifies each selected statistical category by color 
and symbol as it displays on the graph. When disabled, the 
legend does not display and the graph display expands to fill the 
legend area. It is enabled by default. 

To define a statistical data series, follow the steps below: 

1 . Click the type of item whose statistics you want to display 
(System, Server, Service). 

2. Click the specific item(s). 

3. Click the desired statistic. 

4. Click the graph type (Plot, Scatter Plot, Bar, etc.). 

5. Click the right arrow selection button to the right of the Statistics 
box. 

6. Verify that your selections display in the Selection list (to the 
right of the Statistics box). 

7. Repeat steps (1) through (6) above to graph more statistics, if 
needed. 
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Statistics Screen 



Selection List 

The Selection List reflects the item (System, Server, Service), 
statistical category, and graph type of each defined data series. These 
display in the List's three columns, described below: 

• Items: The specific System, Server, or Service selected in the 
Statistics box's Items list. 

• Statistics: The statistical category selected in the Statistics box's 
Available Statistics list. 

• Graph Type: The graph type name selected in the Graph 
Options' Style drop down menu. 

Window Options 

The Window Options box includes the following controls: 

• Single Graph: Displays all data series in a single composite 
graph. 

• Multiple Graphs: Displays each data series in its own graph. 

• X Gridlines: Displays the graph's vertical grid lines (the default 
is enabled). 

• Y Gridlines: Displays the graph's horizontal grid lines (the 
default is enabled). 

• Refresh Interval(s): The refresh or update rate of the graph in 
seconds (the default is five seconds). 

• Maximum Data Points: The number of data points displayed in 
the graph. After the maximum number of data points is 
displayed, new data points are added to the right of the graph and 
the oldest data point is displaced off the left side of the graph. 
The graph can display between 1 and 1000 data points, and the 
default is 100. 



NOTE: Statistics 
gathering generates 
network overhead, and 
increasing the refresh 
rate (that is, lowering the 
Refresh Intervals value) 
increases that overhead. 
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Graphing Statistics 

NOTE: The graph 1 . After you've entered the desired parameters into the Statistics 
parameters, including the Screen, display the graph (or graphs, if you've defined multiple 

Legend checkbox, can be data series and have enabled Multiple Graphs) by clicking Graph 

changed on the fly, but at the bottom of the Statistics Screen. 

the results will not be 



displayed in the graph 
window (shown here) 
until you stop and restart 
the graph process from 
the Statistics Screen. 




|Warning: Applet Window 



Graph Window with Bar Display 

The meaning of the graph depends upon the items and statistics 
that you have selected. For example, the graph above shows a 
bar display of CPU Utilization for one system (SA8220) only. 

Although the figure above is grey scaled in this text, each plot 
displays in a unique color identified at the bottom of the graph. 

You can use this information to compare performance of multiple 
servers in relation to a service and adjust the Max Response Time 
for the servers if needed. 
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NOTE: For ease of 
reading, all models are 
referred to as the SA8220 
throughout this 
document. Unless noted 
otherwise, all SA8220 
references refer to all 
models. 



This chapter covers the following topics: 

• CLI Introduction 

• Categorical List of CLI Commands 

• Run-Time CLI Command Reference 
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CLI Introduction 

The HP e-Commerce Traffic Director Server Appliance SA8200/ 
SA8220s and the HP Traffic Director Server Appliance SA7200/ 
SA7220s are fully configurable via the Command Line Interface 
(CLI). The CLI is accessible by using either Telnet or the serial port. 
Commands exist in a logical hierarchy. 

The SA8220 provides secure shell (SSH) versions 1 and 2 support. 
To use the secure shell: 

1. Launch your SSH client and connect to the SA8220's IP address. 

2. Log on to the secure shell using admin for both the user ID and 
password. You can use the change_pas sword command, 
discussed in this chapter, to change the CLI password. 

0nMn6 H6lp The SA8220 provides online CLI command help in six forms: 

1. Type help to describe help features. 

2. Type help commands to display the list of commands you can 
enter at the current prompt. 

3. Type help ttychars to display a list of special terminal 
editing characters. 

4. Type help <command> for a description of a specific 
command or, if relevant, a list of sub-commands you can enter 
from within <command>. 

5. Type ? to display a path list of commands and parameters 
available from the current prompt or <command> forward. 

6. Typing ? or help as one of a command's parameters, that is, 
<command> ?, displays help regarding the parameters available 

for <command>. 



Secure Shell 
Support 
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Pipes 



Any command's output can be "piped" using the V symbol with 
"grep" or "more." 

• Redirecting a command to more pages that command's output 
regardless of the config cli more setting. 

• Redirecting a command to grep displays only the command 
output's lines that contain the word specified after grep to be 
displayed. 

HP SA8220#info | grep SNMP 

The above command filters the output of the info command using 
grep such that only lines containing "SNMP" are displayed. 

• Pipes to grep can be cascaded. 

HP SA822 0/ conf ig/policygroup/test / servicet 
info | grep Primary | grep servl . com 

The above command displays only lines containing "Primary" 
AND "servl.com." 

• The output of a command can be directed to both grep and 
more, but the pipe to more must be the last pipe present. 

HP SA822 0/ conf ig/policygroup/test/ servicet 
info | grep Primary | grep servl . com | more 
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SyiltBX This section on the CLI uses the syntax shown below. 



Syntax 


Description 


Angled brackets 


Designates where you enter variable 


«» 


parameters 


Straight brackets 


Choices of parameters appear between straight 


([]) 


brackets, separated by vertical bars. 


Braces ({ }) 


Optional commands or parameters appear 




between braces. 



Boldface Commands that you enter after the CLI prompt 

appear in boldface type. The prompt appears in 
normal typeface to distinguish it from the 
command text. 



Vertical bar ( I ) Separates choices of input parameters within 
straight brackets. You can choose only one of 
the set of choices separated by vertical bars (do 
not include the vertical bar in the command). 
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Categorical List of CLI Commands 

This section lists the SA8220's CLI commands by functional 
category. For more complete details regarding CLI commands, 
please see "Run-Time CLI Command Reference" in this chapter. 



Global System 
Commands 



These commands manage general functions and are described later in 
this chapter. 

i i i 
• t 

Tab key 
arp 

back, . . 

box 

exit 

ether 

f orce-rwa 

halt 

help 

history 

info 

logout 

netstat {options} 

ns lookup 

ping 

guit 

reboot 

remove 

reset 

top 

toplevel 
trace 

traceroute 
who 



Ad m j 11 These commands are described in later in this chapter. 

_ . config admin info 

COmmandS config admin port 
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File 

Management 
Commands 



Use these commands to view file-related information and manipulate 
files globally. These commands are described later in this chapter. 

cat 

copy 

dir 

get 

put 

remove 
restore 

re st ore-verbose 
save 



CLI 

Commands 



These commands modify the CLI environment and are described 
later in this chapter. 

config cli delete <username> 
config cli info 

config cli login-attempts <tries> 
config cli more [enable | disable] 
config cli port <port> 
config cli prompt <prompt> 
config cli screenlines <nlines> 
config cli ssh-port <sshport> 
config cli telnet-sessions <nsessions> 
config cli timeout <nseconds> 

config cli username <name> password <password> 

level <ro | rw | rwa> 
config cli users 



IRV 

Commands 



The Intelligent Resource Verification commands are described later 
in this chapter. 

config irv 
config irv info 

config irv ping-interval <positive integer 
between 0 and 100,000> [0] 



GUI 

Commands 



These commands are described later in this chapter. 

config gui broker-action [0-5] 
config gui info 

config gui response-timeout <seconds> 
config gui server-action [0-5] 
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Routing 
Commands 



These commands are described later in this chapter. 

config route ospf-area [backbone | <area>] 
config route ospf-hello <nseconds> 
config route ospf-dead <nseconds> 
config route ospf -authtype [none | simple 

ospf-authkey <simple key> 

md5 <key> keyid <id>] 
config route protocol [rip 
config route rip-version [1 
config route role [standalone | primary | 

backup] 



md5 [ospf-authkey 

ospf | disable] 
2] 



Commands 



Policy GrOUp These commands are described later in this chapter. 

config policygroup create <policy-name> 
config policygroup delete <policy-name> | -all 
config policygroup <policy-name> service 
<service-name> header-names [certificate 
<headername> | 

cipher-used <headername> | source-ip 
<headername> | ssl-id <headername> ] 
config policygroup <policy-name> throttle 
[enable | disable] 



Service 
Commands 



These commands are described later in this chapter. 

config policygroup <policy-name> service create 
<service-name> vip <ipaddr> port <port> {type 
[TCP | UDP | RICH_HTTP ] } {sticky [disablel 
src-ip | cookie]} {sticky-timeout <seconds>} 
{backups [enable | disable]} {response 
<milli-sec>} {priority <level>} {balancing 
[load | robin]} {server-timeout <seconds>} 

config policygroup <policy-name> service delete 
[ <service-name> | -all] 

config policygroup <policy-name> service 
<service-name> {enable} {disable} 
{balancing [robin | load] }{ sticky [disable | 
src-ip | cookie ] } 

{sticky-timeout <nseconds>} {backups [enable | 
disable]} {response <milliseconds> } {dup-syn 
<microseconds> } {priority <level>} 
{server-timeout <seconds>} 
config policygroup <policy-name> service 
<service-name> header 
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config policygroup <policy-name> service 
<service-name> header-names [certificate <name> 
I cipher-used <name> 

source-ip <name> | ssl-id <name>] 



Server 
Commands 



These commands are described later in this chapter. 

config policygroup <policy-name> service 
<service-name> server create <server-name> port 
<port> {type [primary | backup disabled] } {mode 
[brokered | sap | opr] } {rasap [enable | 
disable ]}{ 60 6 [enable | disable ]}{ http [enable 
disable ] } 

config policygroup <policy-name> service 
<service-name> server delete <server-name> 
port <port> | -all 

Expressions do not apply to the SA7200. 

config policygroup <policy-name> service 
<service-name> server <server-name> port 
<port> {mode [brokered | sap | opr]} {type 
[primary | backup] {msap [enable 
disable] }{ 606 [enable | disable]} {http 
[enable | disable] {expression create 
<expression> } {expression delete <expression> } 
-all} 



System 
Commands 



These commands are described later in this chapter. 

config sys 

config sys autoboot [enable | disable] 

config sys hosts info 

config sys hosts delete <ipaddress> 

config sys hosts add <ipaddress> alias 
<hostnamel> {alias2 <hostname2> alias3 
<hostname3> alias4 <hostname4> alias5 
<hostname5> alias6 <hostname6>} 

config sys id <identifier> 

config sys info 

config sys msd 

config sys msd info 

config sys msd port <port> 

config sys software 

config sys software boot <index> 

config sys software delete <index> 

config sys software info 
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config sys software install <url> {key <license 
key> } {user <user name>} {password 
<password>} passive <enable | disable>} 
config sys software ms-software info <index> 
config sys software ms-software enable <index> 
config sys software ms-software delete <index> 
config sys software ms-software install 



Security 
Commands 



These commands are described later in this chapter. 

security custom 

security custom access-control 

disable] 

security custom acl add ip 
, XXX . xxx> 

security custom acl add netmask 



config sys 
config sys 

[enable | 
config sys 

<xxx . xxx . 
config sys 

<xxx . xxx 
config sys 

<xxx . xxx 
config sys 

<xxx . xxx 
config sys 
config sys 

disable] 
config sys 

disable ] 
config sys 
config sys 

disable] 
config sys 

disable] 
config sys 

disable] 
config sys 

disable] 
config sys 
config sys 

custom> 



xxx . xxx/ xx> 

security custom acl delete ip 
xxx . xxx> 

security custom acl delete netmask 
xxx . xxx/ xx> 

security custom acl info 

security custom forwarding [enable 

security custom gui [enable 

security custom info 

security custom ms-agent [enable | 

security custom snmp [enable | 

security custom ssh [enable 

security custom telnet [enable 

security info 

security mode <open | closed | 
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SNMP 
Commands 



These commands are described later in this chapter. 

config sys snmp community info 

config sys snmp community create <community 

string> ip [<ip address | any>] rights 

[ro | rw] 

config sys snmp community delete <string> ip 

[<ip address> | any] 
config sys snmp info 
config sys snmp port <#> 
config sys snmp sysContact <string> 
config sys snmp sysLocation <string> 
config sys snmp sysName <string> 
config sys snmp trap <port> 
config sys snmp trap create <ip address> 

community <community string> 
config sys snmp trap delete <ip address> 

community <community string> 
config sys snmp trap info 
config sys snmp trap port <port> 



SSL 

Commands 
(SA8200/ 
SA8220 only) 



These commands modify the SSL configuration. They can be used to 
set the defaults for configuring certificates in the policy group, and 
are described later in this chapter. 

config policygroup <policy-name> service 

<service-name> key [create | delete | import | 
export | info] 

config policygroup <policy-name> service 
<service-name> key certificate [create | 
delete | import | export | info] 

config policygroup <policy-name> service 

<service-name> key client-ca [delete | export 
import | info] 

config policygroup <policy-name> service 
<service-name> key client-ca 
header-certificate [disable | enable] 

config policygroup <policy-name> service 
<service-name> key client-ca revocation 
[delete | import | info | mode <disable 
enable> | refresh <interval | now> | url <url> 
{user <username> password <password> 
<none> } ] service-name> key 
redirect [<url> | default | none] 

config policygroup <policy-name> service 
<service-name> key 

signrequest [create | delete | export | info] 
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config policygroup <policy-name> service 

<service-name> key suite [ all | high | medium 
low | export | <custom> ] <CIPHERSUITE> 
config ssl info 

config ssl redirect [<url> | none] 

config ssl suite [all | high | medium | low | 
export | <custom>] 

config ssl cache [enable | disable] 

config ssl dn [ name <name> | email <email> | 
locality <local> | state <state> | country 
<country> | organization <org> | unit <unit> ] 



Logging 
Commands 



These commands are described later in this chapter. 

config logging info 

config logging sys 

config logging output 

config logging sys info 

config logging sys enable 

config logging sys disable 

config logging output info 

config logging output logsize 

config logging output viewlog 

config logging output maillog 



Show 

Commands 



These commands are described later in this chapter. 

show admin info 
show cli info 
show gui info 
show irv info 
show msd info 
show policygroup info 
show policygroup <policy-name> info 
show policygroup <policy-name> service info 
show policygroup <policy-name> service <service- 
name> info 

show policygroup <policy-name> service <service- 

name> key info 
show policygroup <policy-name> service <service- 

name> key certificate info 
show policygroup <policy-name> service <service- 

name> key client-ca info 
show policygroup <policy-name> service <service- 

name> key client-ca revocation info 
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NOTE: Expressions do 
not apply to the SA7200. 



show policygroup <policy-name> service <service- 

name> key signrequest info 
show policygroup <policy-name> service <service- 

name> server info 
show policygroup <policy-name> service <service- 

name> server <server-name> info 
show policygroup <policy-name> service <service- 

name> server <server-name> port info 
show policygroup <policy-name> service <service- 

name> server <server-name> port <port> 

expression 

show policygroup <policy-name> service <service- 

name> server <server-name> port <port> info 
show route info 
show ssl info 
show stats info 

show stats service <vip> vport <port> 

show stats service <vip> vport <port> server 

<ipaddr> port <port> info 
show sys date 
show sys info 
show sys snmp info 
show sys software info 
show sys software ms-software info 
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Run-Time CLI Command Reference 



Glob3l SyStSITI Descriptive examples of the Global System commands are provided 
— , below. 

Commands 



Command 


Description 


? 


Displays the help command tree 


! 


Enter ! followed by an index number from the history list to 




execute the indexed command. 




! <n> 




where n is the index number of the command you want to execute 


! ! Repeats the last command 


Tab key 


Lets you view the commands available for the current prompt 




level, and can be used to complete a command. For example, 




typing "con<TAB>" will create the word "config." 


arp 


Displays the SA8220's ARP table 


back, .. 


Brings you up one level in the CLI command tree 


box [top, toplevel] 


Brings you back to the beginning (root level) of the CLI branch 




command tree 


exit [logout, quit] 


Exit the CLI 


ether 


Display the Ethernet interface values 



force- rwa 



NOTE: The use of force- 

rwa potentially allows 
conflicts among users of 
equivalent authorization. 



If a user with Read-Write- All authorization logs on when another 
user with the same authorization is already logged on, the SA8220 
"demotes" the new user's permission to Read-only. The f orce- 
rwa command restores a demoted user's permission to Read- 
Write- All. This command is available only to users with "rwa" 
authorization. 

force-rwa {-cleanup} 

where -cleanup automatically logs off all other users 
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Command Description 



halt 


Halts the SA8220. 


help 


Displays help for the CLI commands. 


history 


Displays the command history. Use " ! " or "h" to recall a 




command number from the history list. 


info 


Displays configuration information for the current prompt level 


logout [exit, quit] 


Exit the CLI 


netstat 


Displays the SA8220's routing tables 



Global options for the netstat command include: 

• -I <interface> Can be expO or expl for dual-homed device 

• -n Do not try to use DNS to resolve IP addresses 

• -p <protocol> Where <protocol can be either "ip", "icmp", 
"igmp", "tcp", or "udp" 

Forms of the netstat command include: 

• No switches displays active network connections 

• -r displays the device's forwarding table 

• -rs displays the device's forwarding table statistics 

• -s displays protocol statistics 

• -i displays interface configuration information 

• -is displays interface statistics 

nslookup Performs an nslookup of the specified IP address or hostname 

nslookup <ipaddr | hostname> 
where: 

• ipaddr is the IP address 

• hostname is the name of the host 
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Command 


Description 


ping 


ICSIS UlC IieiWOIK COIlIieCUOIl LU allOUiei IieiWOIKlIlg LieVlCe. 1 lie 




command sends an ICMP packet from the SA8220 to the target 




device, which (it it receives the packet), sends a ping reply. Alter 




the SA8220 receives the reply, it displays a message indicating that 




the specified IP address is alive. If the SA8220 receives no reply, 




it displays a message indicating that the target device is not 




responding. 




ping [ <ipaddress> <hostname>] 




where: 




• ipaddress is the IP address of the other networking device 




• hostname is the host name of the other networking device 


quit [exit, logout] 


Exit the CLI 


reboot 


Reboots the SA8220 



reset 



NOTE: Reset causes all 
policy groups, services, and 
servers to be deleted. This 
operation will disable all 
remote administration 
access. Use command 
'config sys security' to 
enable remote access. 



Resets the SA8220 to its original factory configuration, as listed 
below. Note that only parameters set within the CLI are affected. 
Networking parameters controlled through the Boot monitor are 
not affected by the reset command. 

CLI Factory Settings: 

Telnet port is set to 23. 
Prompt is reset to product name. 
Maximum telnet sessions is set to 3. 
Scrolling is disabled. 
Idle timeout is set to 900 seconds. 
Maximum login attempts is set to 3. 
Unit ID is set to the factory value. 
IRV is disabled. 
SSH port is set to 22. 
Screenlines is set to 25. 
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reset (continued) GUI Settings: 

• Response timeout is set to 30 seconds. 

• Broker-action is set to 0 (Policy Manager). 

• Server-action is set to 1 (Statistics) 

Multi-site Settings: 

• MSD port is set to 1999. 

Route Factory Settings: 

• Role is set to 'standalone.' 

• Protocol is set to 'none' 

• OSPF-area is set to 'backbone.' 

• Hello interval is set to 10 seconds. 

• Dead interval is set to 40 seconds. 

• RIP version is set to 2.0. 

Security Settings: 

• acl is cleared. 

• custom access-control is disabled. 

• custom forwarding is disabled. 

• custom ssh is enabled. 

• custom telnet is disabled. 

• custom gui is disabled. 

• custom snmp is disabled. 

• custom ms-agent is disabled. 

• security mode is set to closed. 

SNMP Settings: 

• sysContact is set to a null. 

• sysName is set to the host name of the unit. 

• sysLocation is set to a null. 

• Community private string rights set to RW. 

• Community public string rights set to RO. 

• Auto topology is disabled. 
Port is set to 161. 

• Trap port is set to 162. 

• All traps are deleted. 
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reset (continued) SSL Settings: 

• Suite is set to 'default.' 

• Cache is set to 'enable.' 

• Redirect is set to 'none.' 



top [box, toplevel] Changes the prompt to the system's top or box level 

trace Displays TCP packets coming into or out of the SA8220. It can be 

helpful for troubleshooting network problems. Trace accepts a 
tcpdump-style expression and several command line options that 
cause the device to capture packets in the tcpdump binary format; 
You can TFTP this capture to a remote machine for debugging. 
Use the CLI file management command to TFTP the resultant 
dump file from this device. Any machine with tcpdump can 
decode the binary file into human-readable packet dumps using the 
"-r" switch. This command will prompt you for the name of an 
output file and a filter file. Press <return> when prompted for a 
filter file if you do not have one. It is simply a text file containing 
an arbitrarily long tcpdump-style expression which trace can 
use. 

trace <switches> <expression> 
Available switches: 

• -a Attempt to use the DNS to convert address to names. 

• -c <int> Exit after receiving <int> packets (by default, 
the command automatically exits after 60 seconds. 

• -e Print the link-level header on each dump line. 

• -i <interface> Specify an interface to capture packets 
from (expO or expl for dual-homed devices). 

• -n Don't convert addresses to names. 

• -N Don't print domain name qualification of host names. 

• -q Output less protocol information. 

• -s <int> Capture <int> bytes of data from each packet 
rather than the default of 76 bytes. 

• -S Output absolute rather than relative TCP sequence 
numbers. 

• -t Don't output a timestamp on each dump line. 

• -tt Output an unformatted timestamp on each dump line. 

• -v Slightly more verbose output. 

• -w Even more verbose output. 
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trace (continued) • -x Output each packet in hex. 

• -X Output each packet in hex and ASCII. 

The <expression> has the same format as a "tcpdump" 
expression: If no <expression> is given all packets on the net 
will be output. <expression> primitives (listed below) can be 
combined using parentheses and '!' or 'not', '&&' or 'and', and 'II' or 
'or.' 

The <expression> primitives are listed below: 

• dst host <host> : true if the IP destination field of the 
packet is <host>. 

• src host <host> : true if the IP source field of the packet 

is <host>. 

• host <host>: true if either the IP source or destination 
field of the packet is <host>. 

• ether dst <ehost> : true if the ethernet destination 
address is <ehost>. 

• ether src <ehost> : true if the ethernet source address is 
<ehost>. 

• ether host <ehost>: true if either the ethernet source or 
destination address is <ehost>. 

• gateway <host> : true if the packet used <host> as a 
gateway. 

• dst net <net> : true if the IP destination address of the 
packet has a network number of <net>. 

• src net <net> : true if the IP source address of the packet 
has a network number of <net>. 

• net <net> : true if the IP source or destination address of 
the packet has a network number of <net>. 

• net <net> mask <mask> : true if the IP address matches 
<net> with the specific netmask 

• net <net>/<len> : true if the IP address matches <net> a 
netmask <len> bits wide. 

• dst port <port> : true if the packet is ip/tcp or ip/udp 
and has a destination port value of <port>. 

• src port <port> : true if the packet has a source port 
value of <port>. 

• port <port> : true if either the source port value or 
destination port has a value of <port>. 
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trace (continued) • ip proto <protocol> : true if the packet is an ip packet 

of protocol type <protocol>, where <protocol> is 
icmp , udp , or top. 

• ether broadcast: true if the packet is an ethernet 
broadcast packet. 

• ip broadcast: true if the packet is an IP broadcast packet 

traceroute Displays the route that packets travel to the network host. 

traceroute [<ipaddr> | <hostname>] 
where: 

• hostname is the name of the network host 

• ipaddr is the network host's IP address 

who Displays the list of currently logged on users, with their permission 

levels and whether they are logged on using the CLI or GUI 

who 
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Command 



The SA8220's admin commands (see below) specify the server port 
where the Graphical User Interface is accessed and verify the current 
port. 

Description 



config admin info 



Displays the current Graphical User Interface (GUI) port 

config admin info 



config admin port 



Sets the Graphical User Interface (GUI) port number. This is the 
port where the admin GUI listens for connections. The Admin GUI 
allows the user to configure the unit using a graphical user 
interface. 

config admin port <port> 

where port is the GUI http port. You can select any available port 
between 1 and 65535. The default is 1095. 



File 

Management 
Commands 



The File Management commands are described below. 



Command 



copy 



Description 



cat Displays contents of the specified saved configuration file. 

cat {filename} 

where filename is the name of the file to be displayed. If not 
specified, the file default . cf g is displayed. 



Copies an existing configuration file to a new file. 

copy <source> to <destination> 

where source is the name of the original file and destination 
is the name of the target file. 
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Command 




Description 


dir 




Displays a list of saved configuration files 

dir 


get 




Retrieves a configuration file from a TFTP server. Because the 
TFTP protocol has no user-logon or validation, sites that support it 
typically enforce some file access restrictions. Such restrictions are 
specific to each site and vary widely in scope and methods. 

get <tftpurl> 

where tftpurl is the name of the TFTP server and file to 
retrieve. 


put 




Puts a configuration to the specified remote file or directory. If the 
remote-directory form is used, the remote host is assumed to be a 
UNIX* machine. Because the TFTP protocol has no user-logon or 
validation, sites that support it typically enforce some file access 
restrictions. Such restrictions are specific to each site and vary 
widely in scope and methods. 

Example: 

put default.cfg to tftp://1 92. 1 68. 1 0.1 /def ault.cfg 


remove 




Removes a configuration file. 

remove <filename> 
where f i lename is name of the configuration file to be removed 


restore 




Restores a CLI configuration from a previously saved file (see 
save). 


NOTE: Username 
commands are not valid in 
configuration files, that is, 
save config and restore 
config operations do not 
include username data. Use 
the command config 
cli username torestore 
usernames. 


restore {filename} 

where filename is the name of the configuration file to be 
restored (the default file name is default . cf g). 
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Description 



restore-verbose 

NOTE: Username 
commands are not valid in 
configuration files, that is, 
save config and restore 
config operations do not 
include username data. Use 
the command config 
cli username to restore 
usernames. 



Same as restore but displays every line as it is restored 

restore-verbose {filename} 

where filename is the name of the configuration file to be 
restored (the default file name is default . cf g). 



save 

NOTE: Username 
commands are not valid in 
configuration files, that is, 
save config and restore 
config operations do not 
include username data. Use 
the command config cli 
username to restore 
usernames. 



Saves the current CLI configuration to a file of the specified name. 
This information is saved in an ASCII file (see also restore). 

save {filename} 

where filename is the file name used to store the configuration 
(the default file name is default . cf g). 
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CLI 


The Command Line Interface commands are described below. 


Commands 




Command 


Description 


config 


Changes the prompt to the CLI config branch. 




config 


config cli delete 


Deletes the specified user. 




config cli delete <username> 


config cli info 


Shows all current CLI settings at this level. 




config cli info 



config cli login-attempts Specifies the maximum allowable number of failed login attempts 

before closing the connection. 

config cli login-attempts <tries> 

where tries is a number from 1 to 30. 



config cli more Sets scrolling of the output display to one page at a time or to 

continuous display. 

config cli more [enable | disable] 

where: 

• enable allows you to scroll one page at a time. 

• disable results in continuous scrolling. 

Specifies the telnet port on which the CLI runs. 

config cli port <port> 

where port is a valid port. Valid ports are port 23 (the default) or 
any unused port between 1024 and 65535. 



config cli port 

NOTE: If you are logged in 
using telnet, do not use this 
command. Doing so will 
change the port parameters 
and you will be 
disconnected. 
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config cli prompt 



config cli screenlines 



config cli telnet- 
sessions 



config cli ssh-port 



Changes the root level prompt. 

config cli prompt <prompt> 

where prompt is the new prompt name. The default prompt is an 
abbreviation of the product's name, such as "HP SA8220." The 
default prompt can be restored by entering "" (two double quotes 
with no space between them) as the prompt name. 

Specifies the number of lines in the output display. 

config cli screenlines <nlines> 

where nlines is the number of output lines (8 to 64, the default is 
23). 

Sets the allowable number of concurrent inbound remote CLI 
logon sessions. 

config cli telnet-sessions <nsessions> 

where nsessions is the number of allowed sessions (1 to 8, and 
the default is 3). 

Sets the Secure Shell (SSH) port number. 



NOTE: If you are logged in 
using SSH, do not use this 
command. Doing so will 
change the port parameters 
and you will be 
disconnected. 



config cli ssh-port <port> 

where port is a valid port. Valid ports are port 22 (the default) or 
any unused port between 1024 and 65535. 



config cli timeout 



Sets or changes the idle timeout period before automatic logout for 
CLI sessions. This feature can be disabled by setting the timeout 
value to "0." 



config cli timeout <nseconds> 

where nseconds is the timeout period in seconds (0, or 30 to 
65535). The default is 900 seconds (15 minutes). 
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Command 



Description 



config cli username 

NOTE: Username 
commands are not valid in 
configuration files, that is, 
save config and restore 
config operations do not 
include username data. 



config cli users 



Add, change, or delete the logon entry or password. The default 
user name, "admin" cannot be deleted. 

To add or update a user: 

config cli username <name> password <password> 
level [<ro | rw | rwa>] 

where: 

• name is the logon name (must be from 2 to 16 alphanumeric 
characters with no spaces, and the first character must be 
alpha) 

• password is the password (must be from 2 to 16 
alphanumeric characters with no spaces) 

• level is the authorization level (ro = read only, rw =read 
and write, and rwa = read, write all). 

View the logon and user levels for the different access levels. 



config cli users 
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The Intelligent Resource Verification (IRV) commands, are 


Commands 


described below. 
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config irv info 


Displays the current ping interval 




config irv info 


config irv ping-interval 


Sets the IRV ping interval 




config irv ping-interval <positive integer 
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where <ping-interval> is a the number of seconds from 0 to 




100,000. To disable IRV, set the <ping-interval> to 0. 
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Graphical User Interface. 


Command 


Description 


config gui broker-action 


Specifies the start screen within the GUI when you double-click a 




SA8220 icon in the topology screen. 




config gui broker-action [0-5] 



where [ 0-5 ] is an integer between 0 and 5 that indicates one of 
the following destination screens: 

• 0 = Policy Manager (default) 

• 1 = Statistics 

• 2 = Administration 

• 3 = Tools 

• 4 = Configuration Maintenance 

• 5 = Event Log 
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config gui info Displays current Graphical User Interface (GUI) configuration 

information 

config gui info 

config gui response- Specifies the interval in seconds the GUI waits for a response from 
timeout the SA8220 before it times out. 

config gui response-timeout <seconds> 

where <seconds> is an integer between 0 and 120. A value of 0 
disables timeout, and the default value is 30. 

config gui server-action Specifies the start screen within the GUI when you double-click a 

server icon in the topology screen. 

config gui server-action [0-5] 

where [ 0-5 ] is an integer between 0 and 5 that indicates one of 
the following destination screens: 

• 0 = Policy Manager 

• 1 = Statistics (default) 

• 2 = Administration 

• 3 = Tools 

• 4 = Configuration Maintenance 

• 5 = Event Log 



159 



CHAPTER 5 



HP Traffic Director Server Appliances User Guide 



Routing 
Commands 

NOTE: Latency exists in 
the refresh process of 
normal routing tables. If 
you configure OSPF 
routing protocol for a 
SA8220 on a specific 
router, VIP destinations 
may be inconsistent in the 
routing table. If you 
change the role from or to 
Standalone, you must 
specify the protocol on 
the same line. 



The Routing Commands (described below) are used both in route 
failover mode and in serial failover mode. In serial failover mode, 
they advertise routes to the VIPs. 

This is critical for VIPs that are not in the same subnet as the S A8220. 
If you use route failover, you must configure a routing protocol 
(OSPF or RIP) appropriate to your router. 

Use of the first two commands in this section, config route role and 
config route protocol, must be coordinated. If role is set to 
"standalone," then protocol must be set to "none." If role is set to 
"primary" or "backup," then protocol must be set to OSPF or RIP, 
(such as config route role standalone protocol none). 

For example: 

config route role standalone protocol disable 
or 



config route role primary protocol ospf 



Command 



Description 



config route ospf-area Changes the OSPF area. 



NOTE: ospf-area must 
be set to the same OSPF 
area as the ingress router to 
which the SA8220 is talking. 
This can be the keyword, 
"backbone, " or an integer 
from 0 to 2,147,483,647, or 
dotted decimal format 



config route ospf-area [backbone | <area>] 
where: 

backbone sets the OSPF area to backbone (0.0.0.0) 
area is the OSPF area ID. 



config route ospf-hello 



Changes the OSPF hello interval. The hello interval is the number 
of seconds between hello packets sent on this interface. This must 
match the hello interval of the ingress router. The range of valid 
values is 1 to 65535, and the default is 10. 

config route ospf-hello <nseconds> 

where nseconds is the number of seconds in the hello interval. 
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conf ig route ospf-dead Changes the duration of the OSPF router dead interval. The router 

dead interval is the number of seconds the SA8220's OSPF 
neighbors should wait before assuming that this OSPF SA8220 is 
down. This must match the router dead interval of the ingress 
router. Valid range is from 1 to 2,147,483,647, and the default is 
40. 

This value must be at least four times the hello interval. 

config route ospf-dead <nseconds> 

where nseconds is the number of seconds in the OSPF router 
dead interval. 



Specifies the OSPF authentication mode. Router Authentication 
type and key are security mechanisms to guarantee that routing 
information is exchanged only with trusted routers. The type and 
key together comprise the "authentication scheme." 

config route ospf-authtype [none | simple 
ospf-authkey <simplekey> | md5 ospf-authkey 
<md5key> keyid <id> 

where: 

• none disables OSPF Authentication 

• simple enables OSPF Authentication (requiring you to 
provide an authentication key) 

• s implekey is a string of from one to eight characters used as 
an authentication password. Spaces and double quotes are not 
permitted. This string must match the SA8220's OSPF 
neighbors. 

• md5key is a string of from one to sixteen characters. Spaces 
and double quotes are not permitted. 

• id is an integer between 1 and 255. 



config route ospf- 
authtype 

NOTE: An OSPF Area can 
have only one OSPF 
authentication scheme. 
Select none to specify no 
OSPF authentication, or 
simple to specify simple 
password authentication. If 
you select simple, you 
must provide an 
authentication key: a string 
of from one to eight 
characters (double quotes 
and spaces excluded). The 
default is n on e. Both sides 
of the OSPF connection 
must use the same 
authentication type and key. 
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config route protocol Specifies the desired routing protocol. 

config route protocol [rip | ospf | disable] 
where: 

• rip enables Routing Information Protocol (RIP) on the 
SA8220 

• ospf enables Open Shortest Path First (OSPF) routing 
protocol on the SA8220 

• disable disables both RIP and OSPF protocols. 

config route rip-version Specifies the RIP version (1 or 2). 

config route rip-version [1 | 2] 
where 1 or 2 enables RIP version 1 or 2, respectively. 

config route role Specifies the SA8220's role as "Standalone," "Primary," or 

"Backup." The default is Standalone. 

config route role [standalone | primary 
backup] 

where: 

• standalone enables the SA8220's standalone mode 

• primary enables the SA8220's primary mode 

• backup enables the SA8220's backup mode. 
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Policy Group 
Commands 



NOTE: The names of 
existing Policy Groups 
cannot be changed. 



The Policy Group commands are described below. Policy Group 
names must adhere to the following conventions: 

• From 1 to 25 characters in length 

• Any alphanumeric character 

• Other eligible characters include hyphens ("-"), periods ("."), and 
underscores ("_") 

• Spaces must not be used. 

Within these restrictions, the naming of Policy Groups is at your 
discretion, though convenient naming schemes might include 
serial names ("Groupl," "Group2," etc.), or names that reflect a 
Policy Group's content, such as "e-CommerceGrp" or 
"HTTP_Group." 



Command 



Description 



config policygroup 
create 



Creates a new Policy Group. 

config policygroup create <policy-name> 
where policy-name is the name of the Policy Group to create. 



config policygroup 
delete 



Deletes an existing Policy Group. 

config policygroup delete [ <policy-name> | - 
all] 

where policy-name is the name of Policy Group to delete. Type 
"-all" to delete all policy groups. 
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Command 



Description 



config policygroup 
throttle 



NOTE: When throttling is 
activated, requests to 
eligible servers in lower- 
priority services are 
throttled until response 
times are met or all eligible 
servers have been throttled. 
An eligible server is one that 
is shared by both a higher 
and lower priority service. 
Throttling affects all 
services within the Policy 
Group. 



Enables throttling of services to meet specified response times. 

config policygroup <policy-name> throttle 
[enable | disable] 

where: 

• policy-name is the name of the policy group 

• enable enables throttling 

• disable disables throttling 



config policygroup 
service backups 



Enables or disables servers designated as "backup" to come on line 
if necessary to assure target response times. 

config policygroup <policy-name> service 
<service-name> backups [enable | disable] 

where: 

• policy-name is the name of an existing Policy Group 

• service-name is the name of the service 

• enable enables backup server(s) 

• disable disables the backup server(s) 
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Command 



Description 



config policygroup 
service balancing 



Changes the load balancing algorithm. The default algorithm is 
"load." 



config policygroup <policy-name> service 
<service-name> balancing [robin | load] 

where: 

• policy-name is the name of an existing Policy Group 

• service-name is the name of the service 

• robin directs the service to use the round-robin load 
balancing algorithm 

• load directs the service to use the response time load 
balancing algorithm. 



config policygroup 
service create 



NOTE: The VIP/port 
combination must be 
unique. The service type 
defaults to TCP unless 
specified otherwise on the 
command line. The 
service-name, ipaddr, 
and port cannot be 
changed once you enter this 
command. 



Creates a service. The default type is TCP. 

Config policygroup <policy-name> service create 
<service-name> vip <ipaddr> port <port> {type 
[TCP | UDP | RICH_HTTP ] } 

where: 

• policy-name is the name of an existing Policy Group 
service-name is the name of the service you want to create 

• ipaddr is the virtual IP address (xxx.xxx.xxx.xxx) 

• port is the listening port for incoming connections. You can 
select port numbers between 1 and 65535. 



config policygroup 
service delete 



Deletes an existing service. 



config policygroup <policy-name> service delete 
<service-name> | -all 



where: 

• policy-name is the name of the Policy Group that contains 
the service to be deleted 

• service-name is the service to be deleted 

• -all deletes all services and associated servers 
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config policygroup 


Disables the specified service. 


service disable 






config policygroup <policy — narQe> service 




<service-name> disable 




where: 




• policy-name is the name of an existing policy group 




• service-name is the name of the service 


config policygroup 


Sets the time interval (in microseconds) within which if the 


service dup-syn 


dynamically calculated number of duplicate S YNs (lost packets) to 




a fulfillment server is detected, the server is declared dead. 




config policygroup <policy-name> service 




<service-name> dup-syn <microseconds> 




where: 




• policy-name is the name of an existing policy group 




service-name is the name of the service 




• microseconds is the time interval within which to count 




dropped packets. You can specify a value from 1000 to 




9 147 48^ 647 and the default is ^00 000 


config policygroup 


Enables the specified service. 


service enable 






config policygroup *cpolicy — name> service 




<service-name> enable 




where: 




• policy-name is the name of an existing policy group 




• service-name is the name of the service 


config policygroup 


Enables or disables the HTTP header information. 


service header 






config policygroup <policy-name> service 




<service-name> header [enable disable] 


NOTE: Enabled for RICH 


where: 


services by default. 


• policy-name is the name of the policy group 




• service-name is the name of the service 




• enable enables the HTTP header information 




• disable disables the HTTP header information 
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Description 



config policygroup 
service header-name 



Sets the name used in the HeaderNameField of the HTTP headers 
inserted when header or header-certificate are enabled, 
on a per-service basis. 

config policygroup <policy-name> service 
<service-name> header-name [certificate 
<headername> | cipher-used <headername> 
source-ip <headername> | ssl-id <headername> ] 

where: 

• policy-name is the name of the policy group 

• service-name is the name of the service 

• headername is the name to use in the HTTP header 



NOTE: TheSA7220 
supports ONLY the 
source-ip parameter. 
The SA8200/SA8220 
support all four parameters 
(certificate, cipher-used, 
source-ip, and ssl-id). With 
header-certificate enabled, 
and using Internet 
Explorer* with a non- 
trusted CA (for example, a 
broker- generated or 
Microsoft IIS) server- 
generated server certificate, 
the client certificate may not 
pass through on the first 
request. Pass-through 
behaves correctly if the 
server certificate is 
obtained from a recognized 
CA such as Verisign * 



With header enabled, the following are the default HTTP header 
names: 

• source-ip: HP_SOURCE_IP 

With header-certificate enabled, the following are the default 
HTTP header names: 

• certificate: HP_CLIENT_CERTIFICATE 

• cipher-used: HP_CIPHER_USED 

• ssl-id: HP_SSL_SESSION ID 
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config policygroup 


Sets the priority level of the specified service. 


service priority 






config policygroup <policy-name> service 




<service-name> priority <level> 




where: 




• policy-name is the name of an existing Policy Group 




• service-name is the name of the service 




• level is the service priority. You may specify a value from 1 




^lllgllCal^ LO Jt ^lOWCalJ, Willi 1 as L11C UClaUll. 


config policygroup 


Sets the target response time. 


service response 






config policygroup <policy-name> service 




<service-name> response <mil-seconds> 




where: 




• policy-name is the name of an existing Policy Group 




• service-name is the name of the service 




• mil-seconds is the number of milliseconds the service 




should take to respond to a request. This value is ignored 




unless throttling is activated in the Policy Group. You can 




specify a value from 1 to 2,147,483,647, and the default is 50. 


config policygroup 


Specifies the amount of time a client request waits for the server to 


service server-timeout 


respond before trying the next available server. If no server is 




available, a 503 error ("No server available") message is sent to the 




requesting client. Server- timeout mode is available only to 




RICH_HTTP services. 




config policygroup <policy-name> service 




<service-name> server-timeout <seconds> 




where: 




• policy-name is the name of an existing Policy Group 




• service-name is the name of the service 




• seconds is the number of seconds to wait for a connection. 




You can specify a value from 1 to 2,147,483,647, and the 




default is 5. 
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Command 


Description 


config policygroup 


Creates a new server. 


service server create 






config policygroup <policy — name> service 




<service-name> server create <server-name> 


NOTE: The server name 


where: 


ntirl tinvt must hp uuinup 


• policy-name is the name or an existing Policy Group 




• service-name is the name of the service 




• server-name is any valid server name 


config policygroup 


Enables or disables 606 error detection on the named server. 606 is 


service server port 606 


a user-defined error code. When 606 error detection is enabled, 




requests mat generate ouo errors are rerouted ^transparently to tne 




client), to the next available server. When disabled, the error is sent 




back to the requesting client. 




config policygroup <policy-name> service 




<service-name> server <server-name> port <port> 




606 [enable | disable] 




where: 




• policy-name is the name of an existing Policy Group 




• service-name is the name of the service 




• server-name is the name of the server 




• port is the server port 




• enable enables 606 error detection 




• disable disables 606 error detection 


config policygroup 


Deletes an existing server. 


service server delete 






config policygroup <policy-name> service 




<service-name> server delete <server-name> 




where: 




• policy-name is the name of an existing Policy Group 




• service-name is the name of the service 




• name is the name of the server to be deleted 
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Command 



Description 



config policygroup 
service server port 
expression create 
(not available on the 
SA7200) 



Expressions allow the SA8220 to parse requests at the levels of 
path name, file type, and filename and direct them to the 
appropriate server. Expressions can include wildcards. This 
command creates an expression in the specified Policy Group/ 
service/server. 



NOTE: Expressions can 
include the negation 
operator (!), such as 
! * .gif, or ! */ 
index . html. There can 
be only one asterisk in any 
single expression. An 
asterisk must be either the 
entire expression itself, or 
occur at the beginning or 
the end of the expression. 



config policygroup <policy-name> service 
<service-name> server <server-name> port <port> 
expression create <expression> 

where: 

• policy-name is the name of an existing policy group 

• service-name is the name of the service 

• server-name is the name of the server 

• port is the server port 

• expression is any valid expression 

Valid expressions include: 

• File type expressions, such as * . gi f , or * / index . html 

• Path expressions, such as /home/*, or /home/images/*, 
or /home/images/a* 

• Unique file expressions, such as / index . html 

• Wildcard expressions, such as * . 

Invalid expressions include: 

• Text on either side of the asterisk, such as / index* . gi f 

• Asterisk on either side of text, such as */images/* 

• Expressions containing more than one asterisk, such as 

/index* . * 

• Expressions containing one or more spaces or the dollar sign 
($) character 
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Command 



Description 



config policygroup 
service server port 
expression delete 
(not available on the 
SA7200) 



config policygroup 
service server port 
expression info 
(not available on the 
SA7200) 



Deletes the named expression. The expression may be designated 
either by its own specification or by entering its index as displayed 

by the expression info command. 

config policygroup <policy-name> service 
<service-name> server <server-name> port <port> 
expression delete <expression> 

where: 

policy-name is the name of an existing policy group 
service-name is the name of the service 
server-name is the name of the server 
port is the server port 
expression is any valid expression 

Lists the named expression. 

config policygroup <policy-name> service 
<service-name> server <server-name> port <port> 
expression info 

where: 

• policy-name is the name of an existing policy group 

• service-name is the name of the service 

• server-name is the name of the server 

• port is the server port 
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Command Description 

config policygroup Enables or disables HTTP error detection on the named server. 

service server port http When HTTP error detection is enabled, requests that generate 

HTTP errors 401-405 and 500-503 are rerouted (transparently to 
the client), to the next available server. When disabled, these errors 
are sent back to the requesting client. 

config policygroup <policy-name> service 
<service-name> server <server-name> port <port> 
http [enable | disable] 

where: 

• policy-name is the name of an existing Policy Group 

• service-name is the name of the service 

• server-name is the name of the server 

• port is the server port 

• enable enables HTTP error detection 

• disable disables HTTP error detection 



Enables or disables Source Address Preservation (SAP) on the 
named server. When OPR is enabled, the CLI-configured server 
port is ignored and the configured server service port is used. By 
default, SAP is enabled (and cannot be disabled) when OPR is 
enabled. 

config policygroup <policy-name> service 
<service-name> server <server-name> port <port> 
mode [brokered] | opr | sap 

where: 

• policy-name is the name of an existing Policy Group 

• service-name is the name of the service 

• server-name is the name of the server 

• port is the server port 

• brokered is the default mode, with both SAP and OPR 
disabled, opr enables Out-of-Path Return 

• sap enables Source Address Preservation 



config policygroup 
service server port 
mode 

NOTE: OPR requires the 
use of servers' loopback 
adapters. For more details, 
please see "Configuring 
Out-of-Path Return " in 
Appendix D. 
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Command 



Description 



config policygroup 
service server port msap 



config policygroup 
service server port type 

NOTE: A backup server is 
sent requests only under two 
circumstances: First, when 
the primary servers are 
unable to meet the 
configured target response 
times a backup server is 
used if and only if "backups " 
is enabled for this service. 
Second, backup servers are 
given requests when a 
primary server is 
unavailable. As primary 
servers become inactive, 
backup servers are brought 
into service to handle 
requests. 



Enables or disables Multi-hop Source Address Preservation 
(MSAP) on the named server. 

config policygroup <policy-name> service 
<service-name> server <server-name> port <port> 
msap [enable | disable] 

where: 

policy-name is the name of an existing Policy Group 
service-name is the name of the service 
server-name is the name of the server 
port is the server port 

enable enables Multi-hop Source Address Preservation 
disable disables Multi-hop Source Address Preservation 

Specifies the server type of the named server. 

config policygroup <policy-name> service 
<service-name> server <server-name> port <port> 
type [primary | backup | disable] 

where: 

policy-name is the name of an existing Policy Group 
service-name is the name of the service 
server-name is the name of the server 
port is the server port 

primary specifies that this server is a primary server 
backup specifies that this server is a backup server 
disable disables the server 
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Command 



Description 



config policygroup 
service sticky 



NOTE: Src-ip is supported 
on all platforms. Cookie is 
supported on SA7220 and 
SA8200/SA8220 only. This 
mode must be used to enable 
sticky ports in environments 
in which requests come to 
the SA8220 through proxy 
servers. (All requests 
coming from a proxy server 
have that server's address 
as their apparent Source IP 
address, rather than the 
actual address of their 
origination.) Sticky Cookie 
mode is available only to 
RICH_HTTP services. 



The SA8220 can be configured to maintain a session's state so that 
serial requests from a single client are allocated to the same server. 
This is called "sticky port" functionality. This command allows 
you to enable or disable the sticky port function. Sticky 
functionality is enabled in either of two modes. "Src-ip" (source IP 
address) mode identifies requesting clients by IP address. "Cookie" 
mode entails sending a cookie to requesting browsers which 
identifies subsequent requests as coming from the same client. 

config policygroup <policy-name> service 
<service-name> sticky [disable | src-ip 
cookie ] 

where: 

policy-name is the name of an existing Policy Group 
service-name is the name of the service 
disable disables sticky ports 
src-ip enables Source IP Address sticky mode 
cookie enables Cookie mode (available only to 
RICH_HTTP) 



config policygroup 
service sticky-timeout 
(SA7220 and SA8200/ 
SA8220 only) 



When the sticky port function is enabled, the maximum time 
during which a single server is forced to serve serial requests by a 
single client is called the "sticky timeout." This command sets the 
sticky timeout. 

config policygroup <policy-name> service 
<service-name> sticky-timeout <nseconds> 

where: 

• policy-name is the name of an existing Policy Group 

• service-name is the name of the service 

• nseconds is the period, in seconds, that a connection is 
guaranteed to connect to the same server. For each subsequent 
connection, the timeout countdown is restarted. You can 
specify a value from 1 to 2,147,483,647, and the default is 90 
seconds. 
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System 


The System commands are described below. 


Commands 




Command 


Description 


config sys 


Changes the prompt to the config/sys branch 




config sys 


config sys autoboot 


Enables or disables the Autoboot function. If Autoboot is enabled, 




the SA8220 prompts you to press a key during restart to enter the 




Boot Monitor command line interface. If you ignore the prompt, 




restart finishes with the SA8220 in normal operating mode. If 




Autoboot is disabled, the restart sequence ends by displaying the 




Boot Monitor interface. Autoboot is disabled by default. For 




more details, please see "Boot Monitor" in Chapter 3. 




config sys autoboot [enable | disable] 


config sys hosts info 


Displays the contents of the SA8220's host file 




config sys hosts info 


config sys hosts delete 


Deletes the specified entry from the host file 




config sys hosts delete <ipaddress> 


coring sys nosis auu 


Adds the specified IP address to the host file and associates it with 




the specified hostnames. Hostnames are separated on the 




command line by spaces. 




config sys hosts add <ipaddiress> alias 




<hostnamel> { alias2 <hostname> alias3 




<hostname> alias4 <hostname> alias5 <hostname> 




alias6 <hostname> 



175 



CHAPTER 5 


HP Traffic Director Server Appliances User Guide 


Command 


Description 


config sys id 


Sets the unit identifier. The SA8220 is shipped pre-configured 




with the unit's serial number in this field. This command can 




change the identifier if the site requires alternate asset tracking 




information. 




config sys id <identif ier> 




where identifier is an alphanumeric value from 1 to 64 




characters. 


config sys info 


Displays all current system information 




config sys info 


config sys msd 


Changes the prompt to the config sys msd branch 




config sys msd 


config sys msd info 


Shows the current Multi-Site Agent information 




config sys msd info 


config sys msd port 


Sets the Multi-Site Agent port 




config sys msd port <port> 




where port is an integer from 1 to 65535, and the default is 1999. 




We recommend using free ports 1024 and higher. 


config sys software 


Changes the prompt to the config sys software branch 




config sys software 


config sys software boot 


Select a software image and reboots the system under that image. 



config sys software boot <index> 

where index is a valid index of an installed software image, as 
displayed using the command, show sys software info. 
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config sys software Deletes old versions of SA8220 software from local storage. It can 

delete be used to free local storage to install a version update or product 

upgrade. 

config sys software delete <index> 

where index is a valid index of an installed software image, as 
displayed using the command, show sys software info 

Downloads and installs SA8220 software updates or upgrades. 
Software downloads are performed via ftp protocol. Once 
installed, images are selected for execution by using the command, 

config sys software boot. 

config sys software install <url> {key <license 
key> } {user <user name>} {password <password>} 
passive [enable | disable] 

where: 

• url is a valid URL identifying the software image to 
download. It must be of the form ftp://<host>/<path-name>. 

• license key is a valid HP license key for the software 
image and SA8220 unit to be installed, license key is 
required only to upgrade from SA7200 software to SA7220 
software; no key is required for updates within a single 
version (you can obtain a key from HP Customer Support). 

• user name is the user name needed to log in during FTP file 
transfer 

• pas sword is the password with which to log on during FTP 
during file transfer 

• pass ive permits you to enable or disable passive FTP 
transfers. The default is "enable." 



config sys software 
install 



NOTE: IP Forwarding 
blocks active FTP transfers 
unless all ports are opened. 
If you install the same image 
as the currently running 
image, the system will 
automatically reboot. 
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Command 



Description 



config sys software 
ms-software 



Specifies the multi-site software level. The parameters are used to 
show all installed multi-site agents, enable a multi-site agent, 
delete a multi-site agent, or install a new multi-site agent. 

config sys software ms-software [info | enable 
<index> | delete <index> | install <url> {user 
<user> password <pass>}] 

where: 

• index is the (integer) index of the installed multi-site agent to 
make active or delete 

• url is the complete TFTP or FTP URL of an install agent 

• user is a valid username 

• pass is a valid password 
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Security 
Commands 



The Security commands are described below. 



Command 



Description 



config sys security 
custom access-control 



Determines whether the access control list is enabled or disabled. 
Access control lists are configured with the commands acl add 
(ip or netmask) and acl delete (ip or netmask). If an IP or 
netmask is on the access control list they are allowed to connect 
with any of the enabled administrative methods. SNMP has further 
restrictions based on IP, the other methods require user / password 
authentication. 



config sys security custom access-control 
[enable | disable] 

Disabled by default. 



config sys security 
custom acl add ip 



Adds an IP address to the access control list. 

config sys security acl add ip 

<XXX . XXX . XXX . xxx> 



config sys security 
custom acl add netmask 



Adds a netmask in dotted decimal notation to the access control 
list. 



config sys security acl add netmask 
<xxx . xxx . xxx . xxx/ xx> 



config sys security 
custom acl delete ip 



Deletes an IP address from the access control list. 

config sys security acl delete ip 
<xxx . xxx . xxx . xxx> 



config sys security 
custom acl delete 
netmask 



Deletes a netmask in dotted decimal notation from the access 
control list. 

config sys security acl delete netmask 
<xxx . xxx . xxx . xxx/ xx> 



config sys security 
custom acl info 



Displays the current access control list. The access control list is 
only used if config sys security access-control is enabled 
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Command 


Description 


config sys security 


Switches to custom security settings menu 


custom 






rnn fin c; v ^ ^ £^ r^i i t i 1~ v r~*i i 1~ nm 
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config sys security 


Enables or disables IP forwarding. If IP forwarding is enabled, the 


custom forwarding 


servers connected to the second interface of the SA8220 are 




directly accessible by their IP addresses. There is no restriction on 




direct access to the servers through the SA8220. 




config sys security custom forwarding [enable 




disable] 




Disabled by default. 


config sys security 


Enables or disables administration using the GUI. If enabled, 


custom gui 


administrators can only log on to the GUI and perform 




administration tasks through a web browser. 








disable] 
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config sys security 


Displays the current state of the custom configuration. If the mode 


custom info 


displayed is "custom," then the displayed configuration is the 




acuve one. ine ueiauu custom conngurauon is ojn access oniy. 


config sys security 


Enables or disables the multi-site agent. 


custom ms-agent 






config sys security custom ms-agent [enable 




disable] 




uisauieu uy ueiaun. 


config sys security 


Enables or disables administration using SNMP. 


custom snmp 






config sys security custom snmp [enable 




disable ] 




Disabled by default. 


config sys security 


Enables or disables administration using Secure Shell (SSH). 


custom ssh 






config sys security custom ssh [enable | 




disable] 
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Command 



Description 



config sys security 
custom telnet 



Enables or disables administration using telnet. 

config sys security custom telnet [enable | 
disable] 

Disabled by default. 



config sys security info Displays the current state of the security system 



config sys security 
mode 



Specifies the security mode. The default mode is "closed." 

config sys security mode [open | closed 
custom] 

where mode is one of the following: 

• open permits all administration tasks to be performed without 
restriction from all IP addresses and enables IP forwarding. IP 
forwarding allows direct access to servers at their real IP 
addresses. 

• closed allows administration to be performed only from the 
serial port. 

• customenables the configuration displayed by config sys 
security custom info. Within config sys 
security custom each SA8220 administration access 
method can be configured individually. 
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SN M P Th e SNMP commands are described below. 

Commands 

Command Description 

config sys snmp Specifies community strings that the SA8220 will accept on 

community create incoming SNMP requests. Up to 10 community strings can be 

created. 

config sys snmp community create <string> ip 
[<ip address> | any ] rights [ro|rw] 

where: 

• <string> is the name of the community you wish to create 

• <ip address> is the IP address of the host from which you 
will accept this community string. If any is specified, the 
community string will be accepted on requests from any IP 
address. 

• ro means the community string has read-only privilege. 

• rw means the community string has read-write privilege. 

The default community strings are public any ro and 
private any rw. 

config sys snmp Deletes a community string that the SA8220 can accept on 

community delete incoming SNMP requests. 

config sys snmp community delete <string> ip 
[<ip address> | any] 

where: 

• string is the name of the community string you want to 
delete 

• ip addr e s s is the IP address of the host from which you 
will not accept this community string. If any is specified, the 
community string will not be accepted on requests from any IP 
address. 



config sys snmp Displays the community strings the SA8220 is configured to 

community info accept. 

config sys snmp community info 
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Command 



Description 



config sys snmp info 



Displays information about the SNMP port, sysContact, 
sysName, and sysLocation. 

config sys snmp info 



config sys snmp port 



config sys snmp 
sysContact 



config sys snmp 
sysLocation 



config sys snmp 
sysName 



Specifies the port where the SA8220 receives SNMP requests. 

config sys snmp port <#> 
where # is a number between 5020 and 65535 (the default is 161) 

Specifies a string for the MIB-II variable sysContact. The default 
is NULL. 

config sys snmp sysContact <string> 
where string is a string of displayable characters. 

Specifies a string for the MIB-II variable sysLocation. The default 
is NULL. 

config sys snmp sysLocation <string> 
where string is a string of displayable characters. 

Specifies a string for the MIB-II variable sysName. The default is 
the hostname of the SA8220. 

config sys snmp sysName <string> 

where string is a string of displayable characters. 
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Command 



Description 



config sys snmp trap 
create community 



Specifies the host to which SA8220 sends SNMP traps. Up to 10 
trap receivers can be created. By default the trap receiver list is 
empty, that is, no traps are sent. 

config sys snmp trap create <ip address> 
community <community string> 

where: 

• ip address is the IP address of the host to which you wish 
to send SNMP traps 

• community string is sent with all traps sent to the IP 
address 



config sys snmp trap 
delete community 



config sys snmp trap 
info 



Deletes a host from the trap receiver list. 

config sys snmp trap delete <ip address> 
community <community string> 

where: 

• ip addr e s s is the IP address of the host you want to delete 
from the trap receiver list 

• community string is an identifier associated with 
specified access rights 

Displays the trap receiver list. 



config sys snmp trap 
port 



Specifies the port to which the SA8220 sends traps. 

config sys snmp trap port <port> 

where port is a number between 5020 and 65535 (the default is 
162) 



show sys snmp info 



Displays all SNMP information 
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SSL 

Commands 
(SA8200/ 
SA8220 only) 



The Secure Transactions (SSL) commands unique to the SA8220. are 
described below. 



Command 



Description 



config policygroup 
service key certificate 
create 



NOTE: When the 
procedure is complete, you 
can type info at the prompt 
to verify the key's creation. 



Creates a certificate. A private key must be created prior to using 
this command. You can optionally provide distinguished name 
(DN) information. If no DN information is provided, the default 
DN information is used. The default DN information can be 
viewed or changed by using the ssl dn command. 

config policygroup <policy-name> service 
<service-name> key certificate create {life 
<life> name <name> email <email> state <state> 
organization <org> unit <unit> locality <loc> 
country <country> } 

where: 

• policy-name is the name of a policy group 

• service-name is the name of a service 

• life is the number of days the certificate remains valid 
(range is 1-365 days; the default is 30 days) 

• name is the common (server) name 

• email is the email address, state is the name of your state 
or province 

• organization is the name of your company or 
organization, unit is your organizational section 

• 1 o c a 1 i t y is the name of your city or locality 

For example, creating a certificate that expires in 120 days: 

HP SA8220/ . . . /<server> port <port> 
number>#certif icate create life 120 
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Command 



Description 



config policygroup 
service key certificate 
delete 



Deletes a certificate. 

config policygroup <policy-name> service 
<service-name> key certificate delete 



NOTE: When the 
procedure is complete, you 
can type info at the prompt 
to verify the certificate 's 
deletion. 



where: 

• policy-name is the name of a policy group 

• service-name is the name of a service 

Example: 

HP SA8220/. . . /service/<service>/<key># 
certificate delete 



config policygroup 
service key certificate 
export 



Exports a certificate. Certificates can be exported to the console or 
to a remote machine via ftp. 

config policygroup <policy-name> service 
<service-name> key certificate export [<url>] 



where: 



NOTE: If no URL is 

provided, the certificate will 
be exported to the console. 



policy-name is the name of a policy group 

service-name is the name of a service 

url is a valid URL identifying where to export the certificate 

(it must be in the form ftp : //<host>/<path-name>) 

user is the username 

password is the password 
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Command 



Description 



config policygroup 
service key certificate 
import 



Imports an existing certificate. We recommend you copy the 
certificate (a block of ASCII text) from a server's console window, 
then paste it into the SA8220's console window when prompted. 
To paste in a certificate, type the import command and press 
<Enter>. The CLI prompts you to paste in the certificate. When 
finished, type three periods ("...") on a separate line, then press 
<Enter>. 



config policygroup <policy-name> service 
<service-name> key certificate import [<url> 
user <username> password <password> 



where: 



NOTE: When the 
procedure is complete, you 
can type info at the prompt 
to verify the certificate 's 
transfer to the SA8220. 



policy-name is the name of a policy group 

service-name is the name of a service 

url is a valid URL identifying the certificate file to 

download. (It must be in the form ftp : //<host>/<path- 

name>) 

user is the username 
password is the password 



config policygroup 
service key client-ca 



Displays, deletes, exports, or imports a client certificate. 

config policygroup <policy-name> service 
<service-name> key client-ca [delete | export 
import | info] 



NOTE: Client certificates 
are actually loaded in the 
browser. Certificates from 
the CA that issued the client 
certificates are loaded in 
the SA8220. 



where: 

policy-name is the name of a policy group 
service-name is the name of a service 
delete deletes a client certificate 
export exports a client certificate 
import imports a client certificate 
info displays the client certificate information 
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Command 



Description 



config policygroup 
service key client-ca 
header-certificate 



NOTE: With header- 
certificate enabled, and 
using Internet Explorer* 
with a non-trusted CA (for 
example, a broker- 
generated or Microsoft IIS) 
server- generated server 
certificate, the client 
certificate may not pass 
through on the first request. 
Pass-through behaves 
correctly if the server 
certificate is obtained from 
a recognized CA such as 
Verisign*. 



Adds the PEM-encoded client certificate to the HTTP header of 
requests sent to the servers. The SSL session ID will also be sent. 
The config policygroup service header-names command may be 
used to configure the header names field for the client certificate 
and SSL session ID. 

config policygroup <policy-name> service 
<service-name> key client-ca header- 
certificate [disable | enable] 

where: 

• policy-name is the name of a policy group 

• service-name is the name of a service 

• disable (the default) disables the client certificate in the 
HTTP header 

• enable enables the client certificate in the HTTP header 



config policygroup 
service key client-ca 
revocation delete 



Deletes a CRL. 

config policygroup <policy-name> service 
<service-name> key client-ca revocation 
[delete] 



where: 

• policy-name is the name of a policy group 

• service-name is the name of a service 
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Command 


Description 


config policygroup 


Imports a CRL from a server. 


service key client-ca 




revocation import 


config policygroup <policy-name> service 




<service-name> key client-ca revocation 




[ import ] 




where: 




• policy-name is the name of a policy group 




• service-name is the name of a service 




For example, you can copy the CRL (a block of ASCII text) from a 




certificate server's console window, then paste it into the S A8220's 




console window. To paste in a CRL, type the import command 




and press <Enter>. The CLI prompts you to paste in the 




certificate. When finished, type three periods ("...") on a separate 




line, then press <Enter> 


config policygroup 


Displays detailed information about the CRL. 


service key client-ca 




revocation info 


config policygroup <policy-name> service 




<service-name> key client-ca revocation 




[info] 




where: 




• policy-name is the name of a policy group 




• service-name is the name of a service 
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Command 



Description 



config policygroup 
service key client-ca 
revocation mode 



NOTE: When mode is 
disabled, the presence of a 
valid CRL is irrelevant, 
since no client certificate 
checking will occur. When 
mode is enabled, a missing 
or invalid CRL will cause 
the service to become 
disabled. Changing the 
mode to disabled, or 
importing a valid CRL, will 
re-enable the service. 



Sets the mode to disable or enable. 

config policygroup <policy-name> service 
<service-name> key client-ca revocation 
[mode] <disable | enable> 

where: 

• policy-name is the name of a policy group 

• service-name is the name of a service 

• disable means that client certificates are not checked 
against the CRL (the default setting) 

• enable means that client certificates are validated against the 
CRL 



config policygroup 
service key client-ca 
revocation refresh 



NOTE: The refresh 

command supports both 
DER and PEM format 
revocation lists. 



Sets the interval at which the SA8220 will download the CRL 
from a certificate server. 

config policygroup <policy-name> service 
<service-name> key client-ca revocation 
[refresh] <now> 

where: 

• policy-name is the name of a policy group 

• service-name is the name of a service 

• interval is an integer representing the number of minutes 
from 0 to 625600 (1 year) to wait between attempted retrievals 
of a CRL from a URL specified using the url parameter 
below. A value of 0 disables the feature, and a value of 30 will 
attempt to retrieve the CRL every 30 minutes. 

• now causes the CRL to be downloaded immediately 
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Command 



Description 



config policygroup 
service key client-ca 
revocation url 



NOTE: If refresh is set to a 
non-zero value, and the 
URL is invalid (or specifies 
a non-valid CRLfile), a 
message is entered into the 
system logs. We encourage 
network administrators to 
monitor these logs to ensure 
the SA8220 is receiving 
CRLs properly. Using the 
refresh now command 
causes the log message to be 
printed to the screen. The 
url command supports both 
DER and P EM format 
revocation lists. 



config policygroup 
service key create 



NOTE: When the 
procedure is complete, you 
can type info at the prompt 
to verify the key's creation. 



Retrieves the CRL. 

config policygroup <policy-name> service 

<service-name> key client-ca revocation <url> 
{user <username> password <password> | 
<none> } 

where: 

• policy-name is the name of a policy group 

• service-name is the name of a service 

• url is a URL used to retrieve the CRL. The format of the 
URL is protocol: //server: port/path. Valid protocols are FTP, 
HTTR and LDAP protocols are supported. See the examples 
below. 

• username is the optional username to access the URL 

• pas sword is the optional password to access the URL 

• none clears the URL 

Examples of the url parameter: 

• url ftp://ftp.newhost.com/myrevoke.crl user 
anonymous sets the URL path to myrevoke.crl on the host 
ftp.newhost.com using the FTP protocol with the username of 
anonymous, and no password. 

• url http : / /www . myhost . com : 98 0 0 /CertEnroll/ 
server . crl sets the URL path to CertEnroll/server.crl on 
the host www.myhost.com using the HTTP protocol on port 
9800. 

• url ldap : //server . com/DC=company , CD=com, 
CN=cRL password U8#h2kOW sets the URL to /DC= 
company, CD=com,CN=cRL on the host server.com using the 
LDAP protocol with a password of U8#h2kOW. 

Creates a private key. 

config policygroup <policy-name> service 
<service-name> key create [512 | 1024] 

where: 

• policy-name is the name of a policy group 

• service-name is the name of a service 

• 512 (the default) creates a 5 12 bit RS A private key 
102 4 creates a 1 024 bit RS A private key 
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Command 



Description 



config policygroup 
service key delete 

NOTE: key delete 
deletes the certificate, 
signing request, and private 
key associated with the 
service . When the 
procedure is complete, you 
can type info at the prompt 
to verify the key's deletion. 
Deleting a CRL disables the 
service if mode = enable. 



Deletes a private key. 

config policygroup <policy-name> service 
<service-name> key delete 

where: 

• policy-name is the name of a policy group 

• service-name is the name of a service 



config policygroup 
service key export 



NOTE: If no URL is 

provided, the private key 
will be displayed on the 
console. 



Exports a private key. The private key can be either exported to 
the console or to a remote machine via ftp. 

config policygroup <policy-name> service 
<service-name> key export [<url>] 

where: 

• policy-name is the name of a policy group 

• service-name is the name of a service 

• url is a valid URL identifying where the private key is to be 
exported (it must be in the form ftp : //<host>/<path- 
name>) 

• user is the username 

• password is the password 
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config policygroup Imports an existing private key. For example, you can copy the 

service key import key (a block of ASCII text) from a server's console window, then 

paste it into the SA8220's console window, or the private key may 
be copied via ftp. To paste in a key, type the import command 
and press <Enter>. The CLI prompts you to paste in the 
certificate. When finished, type three periods ("...") on a separate 
line, then press <Enter>. 

config policygroup <policy-name> service 
<service-name> key import [<url> {user 
<username>} {password <password> } ] 

where: 

• policy-name is the name of a policy group 

• service-name is the name of a service 

• url is a valid URL identifying the private key file to 
download (it must be in the form, ftp : //<host>/<path- 
name>) 

• username is the username 

• password is the password 

For example, importing a private key via FTP: 

Import f tp : / /remotehost /key . pem user anonymous 

config policygroup Specifies the default URL to return the user if the client does not 

service key redirect support the cipher suite. Each service may specify a different 

URL. 

config policygroup <policy-name> service 
<service-name> key redirect [default | <url> | 
none] 

where: 

• policy-name is the name of a policy group 

• service-name is the name of a service 

• default specifies the redirect value 

• url is a valid URL identifying the redirect page in the form 

http : //<host>/<path name> 

• none disables page redirect 



NOTE: When the 
procedure is complete, you 
can type info at the prompt 
to verify the key 's transfer to 
the SA8220. 
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Command 



Description 



config policygroup 
service key signrequest 
create 



NOTE: You must create a 
private key prior to creating 
a signing request. 



Creates a signing request. Signing requests are used to obtain 
certificates from a Certificate Authority. Once created, the signing 
request is exported and emailed to the Certificate Authority, who 
will mail you a certificate for you to import into the SA8220. You 
can optionally include distinguished name (DN) information in the 
request. If no DN information is provided, the default DN 
information is used. The default DN information can be viewed or 
changed by using the s s 1 dn command. 

config policygroup <policy-name> service 
<service-name> key signrequest create {name 
<name> email <email> state <state> organization 
<org> unit <unit> locality <loc> country 
<country> > password <password> company 
<company> } 

where: 

policy-name is the name of a policy group 
service-name is the name of a service 
name is the common (or server) name 
email is the email address 
state is the name of your state or province 
organization is the name of your company or organization 
unit is your organizational section 
locality is the name of your city or locality 
password is the challenge password 
company is a company name 

For example: 

HP SA8220/ . . . /service/<service>/key># 
signrequest create 



194 



CHAPTER 5 



SSL Commands (SA8200/SA8220 only) 



Command 



Description 



config policygroup 
service key signrequest 
delete 



NOTE: When the 
procedure is complete, you 
can type info at the prompt 
to verify the signing 
request's deletion. 



Deletes a signing request. 

config policygroup <policy-name> service 
<service-name> key signrequest delete 

where: 

• policy-name is the name of a policy group 

• service-name is the name of a service 

For example: 

HP SA8220/ . . . /service/<service>/key># 
signrequest delete 



config policygroup Exports a signing request. The request can be exported to the 

service key signrequest console or to a remote machine via FTP. 

export 

config policygroup <policy-name> service 
<service-name> key signrequest export [<url>] 

where: 

• policy-name is the name of an existing policy group 

• service-name is the name of the service you want to create 

• url is a valid URL identifying where to export the certificate 
(it must be in the form ftp : //<host>/<path-name>) 
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Command Description 

config policygroup Specifies a cipher suite for each type of service, 

service key suite 

config policygroup <policy-name> service 
<service-name> key suite [ all | high 
medium | low | export | <custom> ] 
<CIPHERSUITE> 

where: 

• policy-name is the name of an existing policy group 

• service-name is the name of the service you want to create 

• ClPHERSUlTEisa string representing the desired cipher 
suite, for example: RC4-MD5 

The suite is one of the following: 

• all = all supported ciphers (including export ciphers) 

• high = all ciphers with 168-bit encryption (triple-DES) 

• medium = all ciphers with 128-bit and above encryption, 
including high 

• low = all ciphers with 64-bit and above encryption, including 
medium and high 

• export = all export ciphers only 

• cu s t om = user-defined cipher 

• default = use the default specified value in the 'config ssT 
level 

config ssl cache Enables or disables the SA8220's SSL session reuse capability. 

Enabling the cache can provide a performance benefit for SSLv2 
clients. This option must be disabled if the majority of the traffic 
uses SSLv3. Users must consult their client browser software to 
determine the protocol used. 

config ssl cache [enable | disable ] 

where: 

• enable enables the SSL session reuse capability 

• disable disables the SSL session reuse capability 
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Command 



Description 



config ssl dn 

NOTE: A unique DN 
should be specified when 
generating certificates for 
each private key created or 
installed on the SA8220. 
This prevents potential 
certificate conflicts with 
cached certificates on the 
client's browser. As an 
alternative, the same 
private key and certificate 
pair can be used for 
multiple Layer 7 services. In 
this case, the user will see 
the service as coming from 
the same trusted provider. 



Sets the Distinguished Name (DN) configuration. This information 
will be incorporated into new certificate or signing requests unless 
otherwise specified. 

config ssl dn {name <name> email <email> state 
<state> organization <org> unit <unit> locality 
<loc> country <country>} 

where: 

name is the common (server's) name 
email is the email address 
state is the name of your state or province 
organization is the name of your company or organization 
unit your organizational section 
locality is the name of your city or locality 



config ssl redirect 



Specifies the default URL to return the user if the client does not 
support the cipher suite. Each service may specify a specific URL 

(see the config policygroup service key redirect 
command) at the service key level. 



config ssl redirect [<url> | none] 



where: 

• url is a valid URL identifying the redirect page in the form 

http : //<host>/<path name> 

• none (the default) disables page redirect. 
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Command 



Description 



config ssl suite 



Configures the Cipher Suite the client is permitted to negotiate in 
the SSL handshake phase. The value applies to all SSL-enabled 
services. 



config ssl suite [ all | high 
export | <custom> ] 



medium | low 



NOTE: For more 
information about 
supported ciphers, please 
see "Using Ciphers with the 
SA8220" in Appendix B. 



where: 

• all = all supported ciphers (including export ciphers) 

• high = all ciphers with 168-bit encryption (triple-DES) 

• medium = all ciphers with 128-bit and above encryption, 
including high 

• low = all ciphers with 64-bit and above encryption, 
including medium and high 

• export = all export ciphers only 

• cu s t om = user-defined cipher 
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Logging 


The Logging commands are described below. 


Commands 




Command 


Description 


config logging info 


Displays current logging configuration settings. 


config logging sys 


Displays system-level logging configuration. 


config logging output 


Log file viewing and configurations. 


config logging sys info 


Displays the current system logging mask settings and available 




logging mask. 


config logging sys 


Enables the system logging mask 


enable 






enable <mask> 




where <mask> is one of the following: 




• general 




• trace 




• audit 




• debug 




• statistic 




• security 




• warning 




• error 


config logging sys 


Disables the system logging mask. 


disable 






disable <mask> 




where <mask> is one of the following: 




• general 




• trace 




• audit 




• debug 




• statistic 




• security 




• warning 






config logging output 


Displays the current logging configuration settings 


info 
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Command 


Description 


confiq loqqinq output 


Sets the maximum log file size. Range is 1024-600000. 


logsize 




config logging output 


Allows review of the log file. An option filter value can be 


viewlog 


indicated to remove the logging mask from the log tile upon 




review. 




config logging output viewlog <filter> 




where <filter> is one of the following: 




general general debug and information logging 




trace function-level trace logging 




audit audit trail logging 




debug debug information logging 




statistic statistical information logging 




security security information logging 




warning warning statement logging 




error error statement logging 


config logging output 


Review the log file externally. The log file must be sent to an 


maillog 


SMTP email address for review. 



config logging output maillog <address> 
<mailhost> 



where: 

• addr e s s is a valid SMTP email address (to which the log file 
is sent externally) 

• mailhostisa valid email server host name on your network 
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Show 


The Show commands are described below. 


Commands 




Command 


Description 


show admin info 


Displays the port used for communication with the GUI 




show admin info 


show cli info 


Displays the CLI configuration 




show cli info 


show cli users 


Displays the list of users 




show cli users 


show gui info 


Displays the GUI configuration 




show gui info 


show irv info 


Displays the current IRV ping interval 




show irv info 


show msd info 


Displays the current multi-site agent information 




show msd info 


show policygroup info 


To display the configurations of ALL policy groups: 



show policygroup info 



To display the configuration of a SPECIFIED policy group: 

show policygroup <policy-name> info 

where policy-name is the name of the policy group whose 
configuration you want to view 
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Command 


DescriDtion 


show policygroup 


To display configuration for ALL services in the specified policy 


service info 


group: 




show policygroup <policy-name> service info 




where policy-name is the name of the policy group whose 




service information you want to view 




To display configuration for a SPECIFIED service: 




show policygroup <policy— name> service 




< s e rvi ce — name> info 




where: 




• policy-name is the name of the policy group 




• co y~xr i po ri^mo 1C ("HP* nilTYlf 1 nf trip C£*i*viPP 

ocl vltc IldliLfc; is lilt, lltllllC Ul lilt, SCI Vll^C 


show policygroup 


Displays SSL private key information 


service key info 




(SA8200/SA8220 onlv) 

^wnUfaUUl \Jr^\J^^ \J Willy J 


show policygroup <policy— name> service 




<service — narae> key info 




where: 




• policy-name is the name of the policy group 




• conn — n^mo ic tnP ntirnp nf tnP CP1"\/1 PP 
OCl VlOc Ildlllc IS L11C 110.111C Ul L11C SCI VIV^C 


show policygroup 


Displays SSL certificate information 


service key certificate 




info 


show policygroup <policy— name> service 




< s e rvi ce — name> key certificate info 




where: 




• policy-name is the name of the policy group 




• service— name is the name of the service 


show policygroup 


Displays client-ca information 


key client-ca info 




(SA8200/SA8220 only) 


show policygroup <policy-name> service 




<service-name> key client-ca info 




• policy-name is the name of the policy group 




• service-name is the name of the service 
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Description 


show policygroup 


Displays signing request information 


key sign-request info 




(SA8200/SA8220 only) 


show policygroup <policy-name> service 




<service-name> key sign-request info 




• policy-name is the name of the policy group 




• service-name is the name of the service 


show policygroup 


Displays client-ca revocation information 



key client-ca revocation 

(SA8200/SA8220 only) show policygroup <policy-name> service 



<service-name> key client-ca revocation info 

• policy-name is the name of the policy group 

• service-name is the name of the service 



show policygroup 


To display server information for ALL servers: 


service server info 






show policygroup <policy-name> service 




<service-name> server info 




where: 




• policy-name is the name of the policy group 




• service-name is the name of the service 




To display server information for a SPECIFIED server: 




show policygroup <policy-name> service 




<service-name> server <server-name >info 




where: 




• policy-name is the name of the policy group 




• service-name is the name of the service 




• server-name is the name of the server 
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show policygroup 


Displays configured server ports 


service server port info 






show policygroup <policy-name> service 




<service-name> server <server-name> port info 




where: 




• policy-name is the name of the policy group 




• service-name is the name of the service 




• server-name is the name of the server 


show policygroup 


Displays the list of expressions for the specified server 


service server port 




expression info 


show policygroup <policy-name> service 


(not available on the 


<service-name> server <server-name> port <port> 


SA7200) 


expression info 




where: 




• policy-name is the name of the policy group 




• service-name is the name of the service 




• server-name is the name of the server 




• port is the server port 


show policygroup 


Displays configuration for a specified server 


service server port info 






show policygroup <policy-name> service 




<service-name> server <server-name> port <port> 




info 




where: 




• policy-name is the name of the policy group 




• service-name is the name of the service 




• server-name is the name of the server 




• port is the server port 


show route info 


Displays the SA8220's routing configuration 




show route info 


show ssl info 


Displays the SSL distinguished name, cipher suite, and cache 


(SA8200/SA8220 only) 


configuration 



show ssl info 
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Command 



Description 



show stats info 

NOTE: Statistics for open 
connections in RICH and 
SSL modes ( on the SA8220 
and the SA7220) are not 
available. 



Displays the SA8220's statistics 

show stats info 



show stats service vport 



Displays statistics for a specified service 

show stats service <vip> vport <vport> 
where: 

• vip is the service IP address (VIP) 

• vport is the VIP port 



Show stats service vport Displays statistics for a specified server 
server port 

show stats service <vip> vport <vport> server 
<ipaddr> port <port> 

where: 

• vip is the service IP address (VIP) 

• vport is the VIP port 

• ipaddr is the server IP address 

• port is the server port 



show sys date 



Displays the system date 

show sys date 



show sys info 

NOTE: If you need to 
contact Customer Support, 
you may be asked to provide 
this information. 



Displays the following system information: IP address, netmask, 
broadcast, hostname, default route, name servers, and autoboot 
status 

show sys info 



show sys snmp info 



Displays the current SNMP configuration information 

show sys snmp info 
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show sys software info Displays a list of installed software images, their image index, 

product, version, and build numbers 



show sys software info 



Show sys software ms- Displays all current installed multi-site software versions 
software info 

show sys software ms-software info 
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This chapter covers the topics shown below: 

• Scenario 1 : Load Balancing a Web Site with Two Servers and 
the SA8220 in Inline Mode 

• Scenario 2: Load Balancing Servers with Source Address 
Preservation 

• Scenario 3: Routing Outbound Data Away from the SA8220 
for OPR 

• Scenario 4: Content Routing (SA7220 and SA8200/SA8220 
only) 

• Scenario 5: Using SSL Acceleration (SA8200/SA8220 only) 

• Scenario 6: Using CRLs (SA8200/SA8220 only) 



NOTE: For ease of 
reading, all models are 
referred to as the SA8220 
throughout this 
document. Unless noted 
otherwise, all SA8220 
references refer to all 
models. 
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e-Commerce Appliance Scenarios 

This chapter contains five scenarios that demonstrate the HP e- 
Commerce Traffic Director Server Appliance SA8200/SA8220s, the 
HP Traffic Director Server Appliance S A7200/7220s operation using 
"real world" contexts. 



Scenario 1 : 
Load 

Balancing a 
Web Site with 
Two Servers 
and the 
SA8220 in 
Inline Mode 



An Internet Service Provider (ISP) wants to set up a load-balanced, 
two server web site named "Acme Web" with the SA8220 operating 
in Dual NIC mode (described below). The service is HTTP and the 
website's address is 10.1.1.201. The figure below shows an example. 




Network Diagram for Scenario 1 
The next figure shows the data flow diagram for scenario 1 . 
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Data Flow Diagram for Scenario 1 
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In Dual NIC mode, the SA8220 uses two Ethernet ports. One is 
connected to the router or switch on which client requests arrive, and 
the other is connected to the server-side subnet. By contrast, Single 
NIC mode refers to configurations in which the SA8220 
communicates with the router or switch and the servers via a single 
Ethernet port. For more information, please see "Routing with Dual 
Interfaces" in Chapter 2. 



Prerequisites for Scenario 1 

• Two web servers are configured with replicated content. In this 
example they are referred to as "servl.acme.com" and 
"serv2.acme.com" with IP addresses of 10.6.1.99 and 10.6.1.100, 
respectively. 

• One SA8220 is installed between two distinct subnets. The 
outside subnet is connected to the router, and the inside subnet is 
connected to the switch. 

• The SA8220 must be physically installed on the network, and its 
Boot Monitor and routing protocol configurations must be 
complete. For more information, please see the "Getting Started 
Guide". 



Procedure for Scenario 1 



NOTE: Remember that 
all commands you need to 
type at the terminal 
appear in bold in this 
text. 



1 . Type the S A8220 initial configuration commands as shown 
below: 

monit or > setup 

Enable dual NIC operation (yes, no) [no] > 

Autoconf igure the Network side NIC speed and 

duplex (yes, no)? [yes] > 

Autoconf igure the Server side NIC speed and 

duplex (yes, no)? [yes] > 

DHCP is disabled for dual NIC operation. 
Enter the hostname you would like to assign to 

the Network NIC: > 

Enter the IP address for the Network side 

NIC > 

Enter the IP address for the Server side 
NIC > 

Enter the Netmask for the Network side NIC > 

Enter the Netmask for the Server side NIC > 

Enter default gateway: > 

Would you like to configure DNS (yes, no) [no] ~> 
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Specify failover method (disabled, serial, 

route) : [disabled] > 

Enable Autoboot (yes, no) [no] > 

monitor>dns 

Would you like to configure DNS (yes, no)? 

[no] >yes 

Enter Domain name ( '-' to cancel) 

> tcslab.mycompany.com 

Enter the IP Address of the Primary name server 

T-' to cancel) >10.6.5.11 

Specify additional name server ( <return> 

to end ) > 

monitor>save 

List of currently saved configuration file(s) . 
You may save over an existing configuration file 
or enter a new name. 
File name 



active . cf g 
bobs 

failover 
backup . cf g 

'active. cfg' is the last booted configuration. 
Enter configuration file name (- to cancel) : 

[active. cfg] > 

monitor>save 

List of currently saved configuration file(s) . 
You may save over an existing configuration file 

or enter a new name. 
File name 



active . cfg 
bobs 

failover 
backup . cfg 

'active. cfg' is the last booted configuration. 
Enter configuration file name (-to cancel) : 

[active. cfg] > 

Configuration save canceled! 

monitor> 

monitor>boot 
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Current active configuration 



Product : 
Version : 
Patch Level : 
Build 

Current time: 



HP_SA8 22 0 
2 . 7 
0 . 0 

38 

Thu Oct 5 
PDT 2000 



11:55:49 



Hostname : 



Network side NIC: 
IP Address: 
Netmask : 
MAC address: 

Server side NIC: 
IP Address: 
Netmask : 
MAC address: 



SA8220 



10.6.2.99 
255.255.255 . 0 
0:90:27:f6:f6:22 



10.6.4.99 
255.255.255 . 0 
0:d0:b7:7f :46:34 



Default Gateway: 
Domain : 

Primary name server 
DHCP: Disabled 
Failover mode: Disabled 
Network NIC speed/duplex : 
Server NIC speed/duplex : 
NTP: Disabled 
Autoboot: Disabled 
Static Routes: None 
RICH Biased: Enabled 



10.6.2.1 

tcslab . my company . com 
10.6.5.11 



Auto 
Auto 



Select a boot configuration from the following 

files . 
active . cf g 
bobs 

failover 
backup . cf g 

Boot configuration file name? [active. cfg] > 

Do you really want to boot ^active . cf g' ? [y] > 

Please stand by, the system is being booted. 
Done 



login: admin 
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Password: 

HP SA8220 e-Commerce 

Director command line interface 

Copyright (c) 2001 Hewlett-Packard Company All 
Rights Reserved. 

Please wait . . 

HP SA8220# 

Create a Policy Group 

1 . To create a policy group, first move the prompt to the CLFs 
policy group level by typing this command: 

HP SA822 0#config policygroup 

2. To specify the new policy group's name ("gold" in this example), 
by typing this command: 

HP SA8220/conf ig/policygroup#create gold 

policygroup gold created. 

3. To move the prompt to that level, type the name of the new 
policy group: 

HP SA822 0/conf ig/policygroup#gold 
Add HTTP Service and VIP 

1. To add HTTP service (with a virtual IP address of 30.1.1.201 on 
port 80) to policy group gold, type this command: 

HP SA822 0/conf ig/policygroup/gold# 
service create http vip 30.1.1.201 port 80 

This command creates a new HTTP service on the SA8220 at IP 
address 30.1.1.201, listening on TCP port 80. 

2. To move the prompt to the level of the specific service ("http"), 
type this command: 

HP SA8220/conf ig/policygroup/gold#service http 
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Add Servers to the HTTP Service 

1. To add server "servl.acme.com" to the HTTP service, type this 
command: 

HP SA822 0/ con fig/ policygroup/ gold/ service/http# 
server create servl.acme.com port 80 

Server servl.acme.com port 80 has been created. 

This command tells the SA8220 that servl.acme.com can fulfill 
requests arriving at 30.1.1.201 on port 80. 

2. To add server "serv2.acme.com," type this command: 

HP SA822 0/ con fig/ policygroup/ gold/ service/http# 
server create serv2.acme.com port 80 

Server serv2.acme.com port 80 has been created. 

The SA8220 is now configured for load balancing a Web site 
with two servers. When HTTP requests arrive at VIP 30.1.1.201 
on port 80, the S A8220 balances the fulfillment of those requests 
across servl.acme.com and serv2.acme.com. 
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Scenario 2: 
Load 

Balancing 
Servers with 
Source 
Address 
Preservation 



In its default operating mode, the SA8220 alters source and 
destination packet addresses so that fulfillment servers see only the 
SA8220's address. However, under some circumstances, 
administrators may want to preserve incoming clients' addresses in 
the server log files. 

The SA8220's Source Address Preservation (SAP) mode ensures that 
a client's address remains as the source address of packets forwarded 
to the server, thus ensuring the maintenance of a record of client 
addresses in the server logs. This scenario illustrates the steps 
required to enable Source Address Preservation and configure the 
SA8220 to broadcast routes. 

The figure below shows the network diagram for scenario 2. 
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Network Diagram for Scenario 2 
The next figure shows the data flow diagram for scenario 2. 
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Data Flow Diagram for Scenario 2 
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Prerequisites for Scenario 2 

• At least one Web server 

• One client 

• One SA8220 must be physically installed on the network, and its 
Boot Monitor and routing protocol configurations must be 
complete (please see the "Getting Started Guide"). 

Procedure for Scenario 2 

Connect to the SA8220 

1. Telnet to the SA8220 and log on as the administrator (admin). 
The Command Line prompt appears, as shown below: 

HP SA8220# 
Create a Policy Group 

1 . To create a policy group, first move the prompt to the policy 
group level by typing this command: 

HP SA822 0#config policygroup 

2. To specify the new policy group's name ("saptest" in this 
example), type this command: 

HP SA8220/conf ig/policygroup#create saptest 

policy group saptest created. 

3. To move the prompt to that level, type the name of the policy 
group just created: 

HP SA822 0/conf ig/policygroup#saptest 
Add Service and VIP 

1. To add the SAP service (with a virtual IP address of 30.1.1.201 
on port 80) to policy group saptest, type this command: 

HP SA822 0/ conf ig/policygroup/ saptest# 
service create sap vip 30.1.1.201 port 80 

This creates a new service on the SA8220, using the HTTP 
protocol, at IP address 30.1.1.201, listening on TCP port 80. 



NOTE: For each 
fulfillment, the server's 
default gateway must be 
set to the SA8220's real 
IP address. 
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2. To move the prompt to the level of the specific service, type this 
command: 

HP SA8220/conf ig/policygroup/saptest#service sap 
Add Servers to the SAP Service 

1. To add the server "servl" to the SAP service, type this command: 

HP SA822 0/ conf ig/policygroup/ saptest/ service/ 
saptserver create servl.prime.com port 80 

Server servl.prime.com port 80 has been created. 

This tells the SA8220 that servl.prime.com can fulfill requests 
arriving at 30.1.1.201 on port 80. 

2. Move the prompt again by typing this command: 

HP SA822 0/ conf ig/policygroup/ saptest/ service/ 
saptserver servl.prime.com port 80 

3. To finish, type this command: 

HP SA822 0/ conf ig/policygroup/ saptest/ service/ 
sap/ server/ servl . prime .com/port/ 8 0#mode sap 

The mode sap command allows clients' addresses to be 
forwarded to the server in place of the SA8220's address. 
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Scenario 3: 
Routing 
Outbound Data 
Away from the 
SA8220 for 
OPR 



You can configure the SA8220 to direct outbound data from the 
fulfillment servers to bypass the SA8220. Most requests to servers 
elicit a disproportionate amount of return data. Under some 
circumstances, it is desirable to avoid routing such volumes of 
content through the SA8220 as it returns to the client. 

The SA8220's Out of Path Return (OPR) mode allows you to remove 
the SA8220 from the return path to the client. OPR sends requests to 
a back-end server and allows the server to respond through its own 
default gateway — thus bypassing the SA8220 altogether. OPR 
requires that the server's loopback adapter be installed and configured 
with the VIP as an alias, and that the server be programmed with a 
default gateway address other than that of the SA8220. 

The figure below shows the network diagram for scenario 3. 
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Network Diagram for Scenario 3 
The next figure shows the data flow diagram for scenario 3. 



Client Broker 



Server 



SYN 


SYN 


» 


> 


cvN/ACK m 
ACK 


ACK 


► 

Get URL 


> 

Get URL 


► 


► 







Data Flow Diagram for Scenario 3 
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Prerequisites for Scenario 3 

Equipment 

• At least one Web server with an installed loopback adapter (for 
example, UNIX* or Windows* or NT*) 

• One SA8220 physically installed on the network, with its Boot 
Monitor and routing protocol configurations completed (please 
see the "Getting Started Guide"). 

Procedure for Scenario 3 

Connect to the SA8220 

1. Telnet to the SA8220 and log on as the administrator (admin). 
The Command Line prompt appears, as shown below: 

HP SA8220# 
Create a Policy Group 

1 . To create a policy group, first move the prompt to the policy 
group level by typing this command: 

HP SA822 0#config policygroup 

2. To specify the new policy group's name ("oprtest" in this 
example), type this command: 

HP SA8220/conf ig/policygroup#create oprtest 

policy group oprtest created. 

3. To move the prompt to that level, type the new policy group's 
name: 

HP SA822 0/conf ig/policygroup#oprtest 
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Add HTTP Service and VIP 

1. To add HTTP service (with a virtual IP address of 10.1.1.201 on 
port 80) to policy group oprtest, type this command: 

HP SA822 0/ con fig/ policygroup/ oprtest# 
service create OPR vip 30.1.1.201 port 80 

This command creates a new service on the SA8220, using the 
HTTP protocol, at IP address 30.1.1.201, listening on TCP port 
80. 

2. To move the prompt, type this command: 

HP SA8220/conf ig/policygroup/oprtest#service OPR 
Add Servers to the OPR Service 

1. To add the server "Servl.com" to the OPR service, type this 
command: 

HP SA822 0/ con fig/ policygroup/ oprtest/ service/ 
OPR#server create servl.prime.com port 80 

Server servl.prime.com port 80 has been created. 

This command tells the SA8220 that servl.prime.com can fulfill 
requests arriving at 10.1.1.201 on port 80. 

2. To move the prompt, type this command: 

HP SA822 0/ con fig/ policygroup/ oprtest/ service/ 
OPR#servl .prime . com port 80 

NOTE: We recommend 
that you test the 
connectivity using 
Brokered mode before 
switching to OPR mode. 
Verify that the VIP is 
accessible from the client 
before enabling OPR 
mode. 



3. Finish by typing this command: 

HP SA822 0/ con fig/ policygroup/ oprtest/ service/ 
OPR/servl . prime . com/ port /8 0#mode opr 

This command allows client addresses to be forwarded to the 
server rather than to the SA8220's address. 
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Scenario 4: 
Content 
Routing 
(SA7220 and 
SA8200/ 
SA8220 only) 



Because the SA8220 can differentiate servers according to their 
content, it can apportion requests based on the type of content 
requested. For example, an administrator might choose to run the 
most processor-intensive processes (such as CGI scripts) on the most 
powerful servers while placing the less processor-bound files on 
slower servers. The SA8220 then sends requests for CGI scripts to 
the faster servers, thus avoiding the slowdowns that would occur if 
the slow servers were relied upon. 

The figure below shows the network diagram for scenario 4. 




sa8220 Server 

Network Diagram for Scenario 4 
The next figure shows the data flow diagram for scenario 4. 
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Data Flow Diagram for Scenario 4 



Prerequisites for Scenario 4 

• At least two Web servers 

• One for HTML and images 

• One for CGI scripts 

• One SA8220 physically installed on the network, and its Boot 
Monitor and routing protocol configurations must be complete 
(please see the "Getting Started Guide"). 

Procedure for Scenario 4 

Connect to the SA8220 

1. Telnet to the SA8220 and log on as the administrator (admin). 
The Command Line prompt appears, as shown below: 

HP SA8220# 



221 



CHAPTER 6 



HP Traffic Director Server Appliances User Guide 



Create a Policy Group 

1 . To create a policy group, first move the prompt to the policy 
group level by typing this command: 

HP SA822 0#config policygroup 

2. To specify the new policy group's name ("richtest" in this 
example), type this command: 

HP SA8220/conf ig/policygroup#create richtest 

3. To move the prompt to the new policy group's level, type this 
command: 

HP SA822 0/conf ig/policygroup#richtest 
Add RICH HTTP Service and VIP 

1. To add RICH_HTTP service (with a virtual IP address of 
10.1.1.201 on port 80) to policy group richtest, type this 
command: 

HP SA822 0/ conf ig/policygroup/ richtest # 

service create rich vip 30.1.1.201 port 80 type 

RICH_HTTP 

This creates a new RICH service on the SA8220 using the 
RICH_HTTP protocol, at IP address 30.1.1.201, listening on 
TCP port 80. 

2. To move the prompt to the service level, type service rich: 

HP SA8220/ conf ig/policygroup/ richtest#service 
rich 

Add Servers to the RICH Service 

1. To add "servl" to the rich service, type this command: 

HP SA8220/config/ policygroup/ richtest / service/ 
rich#server create servl.prime.com port 80 

Server servl.prime.com port 80 has been created. 

This tells the SA8220 that servl.prime.com can fulfill requests 
arriving at 10.1.1.201 on port 80. 
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2. To move the prompt to the server level, type this command: 

HP SA8220/config/ policy group/ richtest / service/ 
richfserver servl.prime.com port 80 

Add Expressions to servl's Configuration 

1 . Finish the configuration by adding expressions to server 
Servl.com to differentiate content by typing these commands: 

HP SA8220/config/ policy group/ richtest / service/ 
rich/ server/ servl . prime . com/ port / 8 0 #expression 
create * . html 

HP SA8220/config/ policy group/ richtest / service/ 
rich/server/servl .prime . com/port / 8 0 #expression 
create * . jpg 

HP SA8220/config/ policy group/ richtest / service/ 
rich/server/servl .prime . com/port / 8 0 #expression 
create *.gif 

2. To verify the setup of servl.prime.com, type this command at the 
prompt: 

HP SA8220/config/ policy group/ richtest / service/ 
rich/ server/ servl . prime . com/ port / 80 / expression! 
info 

Policy group : richtest 
Service : r ich 

Server Name: servl.prime.com 

Status Port Type Weight Mode MSAP 606 HTTP 



Active 80 Primary 1 BROKERED Off On Off 

Index Expressions 

1 *.html 

2 *-jpg 

3 *.gif 

3. To add "serv2" to the rich service, type these commands: 

HP SA8220/config/ policy group/ richtest / service/ 
rich/ server/ servl . prime . com/ port / 8 0 #back 
HP SA8220/config/ policy group/ richtest / service/ 
rich/ server # create serv2.prime.com port 80 
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4. To move the prompt, type this command: 

HP SA8220/config/ policy group/ richtest / service/ 
rich/ server #serv2 .prime . com port 80 

Add an Expression to serv2's Configuration 

1. Now add an expression to differentiate serv2's content from that 
of servl by typing this command. In this example, serv2 
contains CGI content: 

HP SA8220/config/ policy group/ richtest / service/ 
rich/ server/ serv2 . prime . com/ port / 8 0 # 
expression create /cgi-bin/* 

2. To verify the setup of serv2, type this command at the prompt: 

HP SA8220/config/ policy group/ richtest / service/ 
rich/ server/ serv2 . prime . com/ port / 80#expression 
info 

Policy group : richtest 
Service : r ich 

Server Name: serv2.prime.com 

Status Port Type Weight Mode MSAP 606 HTTP 



Active 80 Primary 1 BROKERED Off On Off 

Index Expressions 
1 /cgi-bin/* 

The SA8220 now directs requests to specific servers according to 
the content requested. serv2 receives requests entailing CGI 
scripts (files located in the /cgi-bin directory), while all other 
requests go to servl. 

Determine the Routing Method for VIP Addresses 

After the service is set up, the S A8220 needs to be configured to route 
the VIP address to the site's routers. There are two possibilities: 

• In single SA8220 installations, the SA8220's "Standalone" mode 
is preferred as it allows the VIP to be ARP-accessible from the 
router. 

• If there are multiple address spaces (such as a SA8220 on the 
10.x. x.x network and a VIP on the 209.x.x.x network), then a 
routing protocol might be the best method to advertise the VIP. 
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When configuring routing on the SA8220, always match the 
router's configuration. The SA8220 can be programmed to use 
RIP vl, RIP v2 or OSPF. 

For example: 

HP SA822 0#config route 

HP SA8220/conf ig/route#info 
Route configuration: 



Broker role: 
RIP Info: 

Active : 
Version : 



standalone 

no 
2 



OSPF Info: 

Active : no 

Area : backbone 

Hello interval: 10 

Router dead interval: 40 

Authentication type: simple 

Authentication key: <your key> 
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Scenario 5: 
Using SSL 
Acceleration 
(SA8200/ 
SA8220 only) 



We now build upon Scenario 4 by adding a Layer 7 service using the 
SA8220's SSL acceleration capabilities. As discussed earlier, the 
SA8220 can offload SSL processing from the web server, providing 
dramatically improved performance. 

The figure below shows the message flow when the SA8220 is used 
for SSL processing. 



Client 




Server 



SA8220 Used For SSL Processing 

In the conventional secure web server setup, protected data is 
accessed using the HTTPS (HTTP over SSL) on port 443. In this 
example we add a new web server, "Serv3," which along with 
"Serv2" (defined in Scenario 4) hosts this data and accesses it through 
VIP 10.1.1.201 on port 443. We assume the data is accessed on server 
port 80 to isolate it from normal HTTP traffic. It is also strongly 
recommended that secure data be isolated from the rest of the 
network through the use of the inside NIC interface and the S A8220's 
security firewall capabilities. 
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Procedure for Scenario 5 

Using this procedure, you will add an SSL enabled service called 
"SSL" to the previously defined "Richtest" policy group. 

1. Telnet to the SA8220 and log on as the administrator (admin). 
The Command Line prompt appears, as shown below: 

HP SA8220# 

2. To move the prompt to the Richtest policy group, type this 
command: 

HP SA822 0#config policygroup richtest 

3. To add the new service to the richtest policy group, type this 
command: 

HP SA822 0/ conf ig/policygroup/ richtest # 

service create SSL vip 10.1.1.201 port 443 type 

RICH_HTTP 

Service SSL created. 

4. To move the prompt to the service SSL level, type this 
command: 



NOTE: An existing key 
may be imported using 
the key import 
command. 



HP SA822 0/ conf ig/policygroup/ richtest # 
service SSL 

5. To create the RSA private key, type this command: 

HP SA8220/config/ policygroup/ richtest / service/ 
SSL#key create 1024 

Finished creating key. Key strength is 1024. 
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6. To create a certificate, type these commands: 

HP SA8220/config/ policy group/ richtest / service/ 
SSL# key certificate create 

Certificate created (Expires in 30 days) . 

The service is SSL enabled. Define the servers 

to start processing. 

HP SA8220/config/ policy group/ richtest / service/ 
SSL# server create serv2.prime.com port 80 

Server serv2.prime.com port 80 has been created. 

HP SA8220/config/ policy group/ richtest / service/ 
SSL# server create serv3.prime.com port 80 

Server serv3.prime.com port 80 has been created. 



Scenario 6: 
Using CRLs 
(SA8200/ 
SA8220 only) 



NOTE: Scenario 6 
assumes that you have 
already completed all 
steps in Scenario 5. 



The SA8220 can be configured to work with Client 1 Lists (CRLs). 
In this scenario, the SA8220 uses a CRL to validate that a client 
certificate is not expired (i.e., does not appear in the CRL). For more 
information on CRLs, please see Appendix B. 

Prerequisites for Scenario 6 

• A Web server 

• A SA8220 

• A valid client authentication (CA) certificate 

• A public key infrastructure (PKI) server with a CA certificate 
and the ability to: 

- generate a CRL 

- revoke certificates 

- export the CRL using FTP, HTTR orLDAP 

• Ensure that SSL is set up correctly. See "Scenario 5: Using 
SSL Acceleration (SA8200/SA8220 only)" in this chapter. 
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Procedure for Scenario 6 

Using this procedure, you will configure the SA8220 to use a CRL. 

1. Telnet to the SA8220 and log on as the administrator (admin). 
The Command Line prompt appears, as shown below: 

hp SA8220# 

2. To move the prompt to the SSL service in the Richtest policy 
group, type this command: 

HP SA8220#conf ig policygroup richtest service 
SSL 

You will see: 

HP SA8220/ conf ig/policygroup/ richtest/ service/ 
SSL# 

3. To navigate to client-ca, type the following command: 

HP SA8220/ conf ig/policygroup/ richtest/ service 
SSL# key client-ca 

You will see: 

HP SA8220/ conf ig/ policygroup/ richtest / service 
SSL/key /client-ca# 

4. To import the ca certificate from the PKI server, type the 
following command: 

<pol icy group/ richtest/ service/ SSL /key/ client-ca# 
import 

You will see: 

Paste in the data, end with . . . alone on line. 
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5. Paste in the certificate. 

After approximately 30 seconds, you will see: 

BEGIN CERTIFICATE 

MI IDdDCCAt 2gAwIBAgIBADANBgkqhkiG9wOBAQQFADCBiTEL 
MAkGAlUEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3 JuaWExE jAQ 
BgNVBAcTCVNhbiBEaWVnbzE0MAwGAlUEChMFSW5 OZWwxDTAL 
BgNVBAsTBEVORl IxG jAYBgNVBAMTEUFuZH JlYXMgQVVUSE 9S 
SVRZMRYwFAY JKoZ IhvcNAQkBFgdhQGUuYy5kMB4XDTAwMTAx 
NzEwNTI IMIoXDTAxMTAxNzEwNTI lMlowgYkxCzAJBgNVBAYT 
AlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRIwEAYDVQQHEwlT 
YW4gRGllZ2 8xD jAMBgNVBAoTBUludGVsMQOwCwYDVQQLEwRF 
TkdSMRowGAYDVQQDExFBbmRy ZWFz IEFVVEhPUklUWTEWMBQG 
CSqGSIb3DQEJARYHYUBlLmMuZDCBnzANBgkqhkiG9wOBAQEF 
AAOB jQAwgYkCgYEAwbizLs+d5+wLBcmTob9kc0uhuPUiMt 7x 
RzMNu6cNKZ jC5hZnM0Gfp0 63s7Hf tllVYpbwyNulUxQBNYf G 
2 7vd95rCNe4XDy34 j 0HB4LMmmHRVn3HxiypWQZhmBlmSeB Jz 
kkLV4 Y62 IoGcypqnf LbEF+VoYdQ8cprHkpFIAPuCkCAwEAAa 
OB6TCB5 jAdBgNVHQ4EFgQUG+mshG5BnnVLidK97NuMXAi01k 
kwgbYGAlUdlwSBr jCBq4AUG+mshG5BnnVLidK97NuMXAiO 
lkmhgY+kgYwwgYkxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpD 
YWxpZm9ybmlhMRIwEAYDVQQHEwlTYW4gRGllZ2 8xD jAMBgNV 
BAoTBUludGVsMQOwCwYDVQQLEwRFTkdSMRowGAYDVQQDExFB 
bmRyZWFzIEFWEhPUklUWTEWMBQGCSqGS Ib3DQE JARYHYUB1 
LmMuZI IBADAMBgNVHRMEBTADAQH/ 

MA0GCSqGSIb3DQEBBAUAA4GBAFFWGDxGIq5u5XhaLY4gb0 j 3 
8BEtdj// 

qX5IXQild+Xqnx+IpHKN3ID2ao4 4+eLGDFEJZd5vCVkDHFQw 
6p jalYX7gaHTPswm/ 

Qk3Tn5Wr97ThfK8 JcJjNSzYg8w7NcnnFyq8aO+Z7kdH9Txla 
zvF/blRos jGRfVr je8 JAI5oZUI 
END CERTIFICATE 

Client certificate successfully imported 

6. To move to the revocation level (i.e., enable CRLs), type the 
following command: 

HP SA8220/ conf ig/policygroup/ richtest/ service/ 
SSL/key/client-ca# revocation 

You will see: 

HP SA8220/ conf ig/ policygroup/ richtest/ service/ 
SSL /key/ client-ca/ revocationt 
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7. To give the SA8220 the download address for the CRL, type the 
following command: 

<pol icy group/ richtest/ service/ SSL /key/ client-ca/ 
revocation* url ftp : //10 . 1 . 2 . 64/Certsrv/myCA. crl 
user john password smith 

where john is your username and smith is your 
password . 

You will see: 

URL updated 

8. To verify that the SA8220 can retrieve the CRL from your PKI, 
type the following command: 

<pol icy group/ richtest/ service/ SSL /key/ client-ca/ 
revocation! refresh now 

This downloads the CRL from your PKI server 10.1.2.64 to the 
SA8220. You will see: 

Refresh completed, revocation list was obtained 
from: ftp : //10 . 1 . 2 . 64 /Cert srv/myCA . crl 

9. To set up the SA8220 to periodically update the CRL, type the 
following command: 

<pol icy group/ richtest/ service/ SSL /key/ client- 
ca/revocationt refresh 480 

This sets the CRL update period to 8 hours (480 minutes). You 
will see: 

Refresh will begin in 480 minute(s), url: ftp:// 
10.1.2. 64/Certsrv/myCA. crl 
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10. To enable the CRL feature for the SA8220, type the following 
command: 

<pol icy group/ richtest/ service/ SSL /key/ client-ca/ 
revocationf 

<pol icy group/ richtest/ service/ SSL /key/ client-ca/ 
revocation! mode enable 

You will see: 

Mode changed to enable 

<pol icy group/ richtest/ service/ SSL /key/ client-ca/ 
revocation! 
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SNMP Support 



NOTE: For ease of 
reading, all models are 
referred to as the SA8220 
throughout this 
document. Unless noted 
otherwise, all SA8220 
references refer to all 
models. 



This chapter covers the topics shown below: 

• Standards Compliance 

• HP MIBTree 

• Trap Summary 

• Displaying SNMP Parameters 

• Configuring Community Authentication and Security 
Parameters 

• Configuring Trap Parameters 

• Other Configurable SNMP Parameters 
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Using SNMP 



NOTE: To allow 
communications to the 
SNMP port, SNMP must 
be enabled. Enable 
SNMP by using the 
"config sys security 
custom snmp enable " 
command (for SNMP 
specifically) or the 
"config sys security mode 
open " (for all remote 
system access). 



The HP e-Commerce Traffic Director Server Appliance SA8200/ 
SA8220s and the HP Traffic Director Server Appliance SA7200/ 
SA7220s include a fully compliant, embedded Simple Network 
Management Protocol (SNMP) agent that supports SNMPvl and 
SNMPv2c requests. In addition to standard MIB-II, HP private 
enterprise MIBs provide the following capabilities: 

• Monitor the SA8220's health 

• Monitor health of a redundant SA8220 and failover readiness 

• Monitor the SA8220's load as indicated by CPU utilization, 
connection count and connections per second 

• Monitor status and performance of server farm 

• Monitor status and performance of services (VIP, port) presented 
to clients 

• Monitor HTTP server errors and HTTP errors recovered by the 
SA8220 for clients 

• Monitor SSL acceleration performance and capacity 



Standards 
Compliance 



The S A8220 SNMP agent is bilingual and can support both SNMPv 1 
and SNMPv2c requests. HP private enterprise MIB files are 
compliant with SMIv2 as specified in RFC 1902. The SNMP agent 
supports Management Information Base-II (MIB-II) as specified in 
RFC 1213, but allows SET operations only on the SYSTEM and 
SNMP groups. 
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HP Ml B TfGG Refer to the figure below (HP's MIB tree) for a better understanding 

of this section. 
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HP's MIB Tree 

All HP enterprise MIBs and MIB objects are defined under the 
management branch of the HP tree. All sysOb jectlds that 
identify HP products are defined under the hp Server 
AppliancesSystem branch of the HP tree. 
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Supported MIBs 

Management Information Base-II (MIB-II) 
HP Enterprise MIBs: 

hp server- header . my 
hpbroker-mib . my 
hpl7-broker-mib .my 
hpssl-acceleration-mib .my 
hpuser-mib . my 



Where to find MIB Files 

Electronic copies of the HP MIB files used by the SA8220 are 
shipped with the product on CD-ROM and are available from HP's 
web site: 



http : // www . hp . com/ server appliances/ support/ 

Write access through MIB II SNMP SET is allowed only to the 
System and SNMP groups. An SNMP SET on all other groups returns 
a no Access error for SNMPv2c or a noSuchName error for SNMPvl. 

The SA8220 supports the coldStart, linkup, linkDown, and 
authenticationf ailure standard SNMP traps. 

hpserver-header.my 

hpserver-header .my contains the objects that define the top- 
level branches of the HP MIB tree. It also contains all the 
sysOb jectlds defined for HP Traffic Director Server Appliance 
products. All sysOb jectlds are defined under the sysProducts 
branch of the HP tree. This MIB file contains the sysObjectld 
definitions for the e-Commerce and Traffic Director products, as 
listed below. 



Model MIB Name 



SA7200 


hpsa7200 


SA7220 


hpsa7220 


SA8200 


hpsa8200 


SA8200 


hpsa8220 
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hpbroker-mib.my 



NOTE: The Intelligent 
Resource Verification 
(IRV) CLI command is 
config irv <ping- 
interval> ( default value 
is zero). To make the 
serverPingTable active, 
ensure that the (IRV) 
ping-interval is NOT set 
to zero. 



hpbroker-mib .my defines objects and traps for Layer 4 load 
balancing, hpbroker-mib . my also contains objects and traps 
related to server availability, the SA8220's CPU utilization, and its 
operational status. The hpbroker-mib . my objects and traps are 
discussed below. 

Server Availability (Ping) 

The serverPingTable can be used to monitor server availability. 
If a server is responding to periodic ping requests from the SA8220, 
then its state is marked as responding. Otherwise, the server is 
marked as not Responding. Whenever a server's Ping state toggles, 
the trap serverPingNormal or serverPingAlert is sent for 
that server. 

Server TCP Connection 

The performance of TCP connections between the SA8220 and 
servers are monitored. This performance data is stored in the 
serverTcpTable. For each configured server mapping used for 
load balancing a service (VIP, PORT), the following data is 
maintained in the serverTcpTable: 



state, up or down ( serverState) 

how long this server has been up ( serverUpTime) 
response time ( serverRspTm) 

number of established TCP connection instances 

( serverConnCnt ) 
TCP connections established per second 

( serverCps ) 

Trap thresholds are available in the MIB for serverRspTm, 
serverConnCnt and serverCps. Different threshold settings can 
be configured for each server TCP connection in 

serverTcpTable. 

Trap thresholds for server response time can be configured so that a 
trap is sent if the response time reaches a specified value. When 
serverRspTm reaches serverRspTmHiWater, a 
serverRspTmAlert trap is sent. While in alert, if serverRspTm 
dips to serverRspTmLoWater, a serverRspTmNormal trap is 
sent. High- and low- water thresholds provide hysteresis and prevent 
the spurious generation of traps. If the high-water threshold is set to 
0, no traps are sent. 
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Trap thresholds for server connection count can be configured so that 
a trap is sent if the connection count reaches a specified value. The 

serverConnCntAlert and serverConnCntNormal traps and 
applicable thresholds work similarly for server response time. 

Trap thresholds for server connections can be configured such that if 
the connection/second rate reaches a given value, a trap is sent. The 
serverCpsAlert and serverCpsNormal trap and applicable 
thresholds work similarly for server response time. 

Layer 4 Service (VIP, PORT) 

The performance of each configured Layer 4 service (VIP, PORT) 
presented to clients is monitored. Performance data is stored in the 
serviceTcpTable. This data is computed by aggregating the 
values in serverTcpTable that apply to the (VIP, PORT). That is, 
all server TCP connections used for load balancing a (VIP, PORT) 
are aggregated to derive performance data for that (VIP, PORT) in 
serviceTcpTable. Per (VIP, PORT) pair, the following data is 
available: 

• State, up or down (serviceState) 

• Length of time the service has been up (serviceUpTime) 

• Response time (serviceRspTm) 

• Number of established TCP connections (serviceConnCnt) 

• TCP connections established per second (serviceCps) 

Trap thresholds are available in the MIB for serviceRspTm, 
serviceConnCnt and serviceCps. Different threshold settings 
can be configured for each service in serviceTcpTable. 

Trap thresholds for service response time can be configured such that 
if the service response time reaches a specified value, a trap is sent. 
When serviceRspTm reaches serviceRspTmHiWater, a 
serviceRspTmAlert trap is sent. While in alert, if 
serviceRspTm dips to serviceRspTmLoWater, a 
serviceRspTmNormal trap is sent. High- and low-water 
thresholds provide hysteresis and prevent spurious trap generation. If 
the high-water threshold is set to 0, no traps are sent. 

Trap thresholds for service connection count can be configured so 
that a trap is sent if the connection count reaches a value. The traps, 

serviceConnCntAlert and serviceConnCntNormal and 
applicable thresholds work similarly for service response time. 
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Trap thresholds for service connection can be configured such that if 
the connection/second rate reaches a value, a trap is sent. The 
serviceCpsAlert and serviceCpsNormal trap and applicable 
thresholds work similarly for service response time. 

Broker Connection Count. Connections/Second and CPU Utilization 

brokerConnCnt is the number of established TCP connections 
used for load balancing. This number aggregates all 
serviceConnCnt values in the serviceTcpTable. 
brokerCps is the number of TCP connections/second established 
by the Director. brokerCps aggregates all serviceCps values in 
the serviceTcpTable. 

brokerCpuUtil returns the current CPU utilization of the 
Director. Its value can be from 0 to 100%. 

Trap thresholds are available in the MIB for brokerCpuUtil, 
brokerConnCnt. 

Trap thresholds for Director CPU utilization can be configured such 
that if the Director CPU utilization reaches a value, a trap is sent. 
When brokerCpuUtil reaches brokerCpuUtilHiWater, a 
brokerCpuUtilAlert trap is sent. While in alert, if 
brokerCpuUtil dips to brokerCpuUitlLoWater, a 
brokerCpuUtilNormal trap is sent. High- and low-water 
thresholds provide hysteresis and prevent the spurious generation of 
traps. If the high water threshold is set to 0, no traps are sent. 

Trap thresholds for Director connection count can be configured such 
that if the connection count reaches a value, a trap is sent. The traps, 
brokerConnCntAlert and brokerConnCntNormal and 
applicable thresholds work similarly as described above for Director 
CPU utilization. 

Trap thresholds for Director connection/second can be configured 
such that if the connection/second rate reaches a value, a trap is sent. 
The brokerCpsAlert and brokerCpsNormal traps and 
applicable thresholds work similarly for the S A8220' s CPU 
utilization. 

Director and Redundant Director Operational State 

Operational state of the Director can be monitored through 

operationState. Whenever the value of operationState 
changes, the operationStateChanged trap is sent. The 
operational state of the redundant Director in a serial-cable failover 
configuration is monitored through redundantBrokerState. 
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The traps redundantBrokerUp and redundantBrokerDown 
are sent to alert the administrator of any changes in the availability of 
the redundant Director. 

hpl7-broker-mib.my 

NOTE: This MIB is not hpl7-broker_mib .my defines objects and traps for Layer 7 load 
available on the SA7200. balancing. The hpl7-broker-mib . my objects and traps are 

discussed below. 

HTTP Monitor Table 

A 24-hour history of HTTP performance is maintained in 
httpMonTable. httpMonTable is indexed by hours of the day, 
so httpMonTable is indexed from 0 to 23. To get the current http 
performance numbers, index the table by the current hour. Each entry 
in the table contains the following information: 

httpRedirects 
httpErrsToClient 
http 60 6Redirects 
http60 6ErrsToClient 
invalidHttpReq 
httpServerErr s 

Using the Intelligent Session Recovery feature, the Director can be 
configured such that if a server returns an HTTP error, the Director 
intercepts the error and resubmits the HTTP request to another server 
for fulfillment. Each server is tried in sequence until the HTTP 
request is fulfilled. If the HTTP request is fulfilled, the client sees a 
successful completion of the request. Otherwise, the client receives a 
503 error from the Director. 

httpRedirects is the number of times during the hour that the 
Director redirected a request to a server. httpErrsToClient is the 
number of times during the hour that a 503 error is returned to the 
client because all redirection attempts failed to fulfill an HTTP 
request. A trap threshold, httpErrsToClientTh, is available in 
the MIB. If httpErrsToClient reaches httpErrsToClientTh 
during the current hour, a trap is sent. httpErrsToClientTh can 
be set to any positive number. If httpErrsToClientTh is set to 0, 
no trap is sent. Since the value of httpErrsToClient during the 
hour is accumulative and does not fluctuate, low and high water 
thresholds are not necessary for hysteresis. 

The S A8220 can be configured such that if a server returns an HTTP 
606 error, the Director intercepts the error and resubmits the HTTP 
request to another server for fulfillment. Each server is tried in 
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sequence until the HTTP request is fulfilled. If the HTTP request is 
fulfilled, the client sees a successful completion of the request. 
Otherwise, the client receives a 503 error from the Director. 

http606Redirectsis the number of times during the hour that the 
Director redirected a request to a server. http60 6ErrsToClient 
is the number of times during the hour that a 503 error is returned to 
the client because all redirection attempts failed to fulfill an HTTP 
request. A trap threshold, http60 6ErrsToClientTh, is available 
in the MIB. If http60 6ErrsToClient reaches 
http60 6ErrsToClientTh during the current hour, a trap is sent. 
http606ErrsToClientTh can be set to any positive number. If 
http60 6ErrsToClientTh is set to 0, no trap is sent. Since the 
value of http60 6ErrsToClient during the hour is accumulative 
and does not fluctuate, low and high water thresholds are not 
necessary for hysteresis. 

invalidHttpRequests returns the number of invalid HTTP 
requests received by the Director during the hour. 

httpServerErrs is the number of timeouts, HTTP errors and 
HTTP 606 errors received from servers during the hour. 

hpssl-acceleration-mib.my 

NOTE: This MIB is hpssl-acceleration_mib .my defines objects and traps for 

available only on the Layer 7 load balancing. The hpssl-acceleration-mib .my 

SA8200/SA8220. objects and traps are discussed below. 

SSL Monitor Table 

A 24-hour history of SSL performance is maintained in 
sslMonTable. sslMonTable is indexed by hours of the day, so 
sslMonTable is indexed from 0 to 23. To get the current SSL 
performance numbers, index the table by the current hour. 
currentHour is defined in hpl7-broker-mib . my. Each entry in 
the table contains the following information. 

sslPeakCpsRate 
sslCpsRate 
sslConnProcessed 
sslTraf f ic 
sslErrs 

sslPeakCpsRate is the peak SSL connection/second rate 
processed by the SA8220 for the hour. sslCpsRate is the 
connection/second rate for the hour. 
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sslConnProcessedisthe number of S S L connections handled by 
the SA8220 during the hour. 

sslTraffic indicates whether or not SSL traffic exceeded 
maximum capacity at least once during the 1-hour period. This object 
starts with the value "ok" and is changed to "overflow" at the first 
instance in which SSL traffic exceeds the capacity of the box. The 
value does not toggle back to "ok." In this way, a 24-hour history of 
SSL traffic capacity can be retrieved. An sslTraf f icOverf low 
Alert trap is sent when the value goes to "overflow" for the current 
hour. 

hpuser-mib.my 

The MIB file hpuser-mib . my contains definitions for the 

operatorLogin and operatorLogout traps. 



Trap Summary The following list summarizes the traps generated by the SA8220. 

For details about a particular trap, please read the description of each 
MIB above, or read the documentation within the MIB file. Traps are 
generated by SNMPv2c. 



Standard SNMP Traps 

coldStart 

authenticationFailure 

linkup 

linkDown 

hpbroker-mib.my 

serverPingAlert 
serverPingNormal 
server St at e Changed 
serverRspTmAlert 
serverRsp TmNo rraa 1 
server Cps Alert 
serverCpsNormal 
server ConnCnt Alert 
server ConnCnt Normal 
service St at eChanged 
serviceRspTmAlert 
serviceRspTmNormal 
serviceCps Alert 
serviceCpsNormal 
serviceConnCnt Alert 
serviceConnCntNormal 
brokerCpsAlert 
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NOTE: This MIB is not 
available on the SA7200. 

NOTE: This MIB is 
available only on the 
SA8200/SA8220. 



br ok erCps Normal 
broke rConnCnt Alert 
broke rConnCnt Normal 
broker CpuUtilAlert 
broke rCpuUt ilNormal 
operationStateChanged 
redundant Broker Down 
redundant Broker Up 

hpl7-broker-mib.my 

httpErrsToClient Alert 
http60 6ErrsToClientAlert 

hpssl-acceleration-mib.my 

ss lTraf f icOver f lowAlert 

hpuser-mib.my 

operatorLogin 
operatorLogout 



Displaying 

SNMP 

Parameters 



The GUI's Administration-SNMP tab displays all SNMP parameters. 
In the CLI, type this command to display all SNMP parameters: 

show sys snmp info 

Ensure that the SA8220's IP Filtering security mechanism allows IP 
access to SNMP, otherwise SNMP requests will not pass through the 
filter. 



Configuring 
Community 
Authentication 
and Security 
Parameters 



The SA8220 SNMP supports community-based authentication. An 
unlimited number of community strings can be configured for use by 
the SA8220. Each community string can have read-only (ro) or read- 
write (rw) privilege, and can be configured for use by a specific IP 
address or all IP addresses. When the value any is used for <ip 
address>, the community string can be used by all IP addresses. 
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The following CLI commands are used to display and configure 
SNMP community strings. These parameters are also configurable in 
the Administration-SNMP tab of the Web-based GUI interface. 



config sys snmp community info 

config sys snmp community create <string> ip <ip 

address> rights [ro|rw] 

config sys snmp community delete <string> ip <ip 

address> 

For example: 



config sys snmp community create test ip 
209.218.240.5 rights ro 

creates the community string test with read-only privilege. SNMP 
read-only requests using community string test will be accepted only 
from IP address 209.218.240.1. 

By default the following community strings are defined: 

public ro any 
private rw any 

The SA8220 has an IP filtering capability accessible through the 
Administration-Security tab or the config sys security command. 
Make sure that security is configured so that SNMP request packets 
are allowed to pass through the IP filter. Security mode must either be 
OPEN or CUSTOM. If mode is CUSTOM, SNMP access must be 
enabled. Either of the following two sets of CLI commands configure 
Security to enable SNMP: 



config sys security mode open 



or 



config sys security mode custom 
config sys security custom snmp enable 
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Configuring 
Trap 

Parameters 



NOTE: These 
parameters are also 
configurable in the 
Administration-SNMP 
tab of the Web-based GUI 
interface. 



Use the following CLI commands to display and configure SNMP 
trap parameters: 

config sys snmp trap info 

config sys snmp trap port <port> 

config sys snmp trap create <ip address> 

community <community> 
config sys snmp trap delete <ip address> 

community <community> 

By default, the UDP port used for sending traps is 162. The trap port 
can be changed to a number between 5020 and 65535, or left at 162. 

The SA8220 SNMP can send trap notifications to an unlimited 
number of configured trap receivers. Each IP address configured as a 
trap receiver is associated with a community string included in traps 
sent to that IP address. For example: 

config sys snmp trap create 209.218.240.5 
community N0C1 

sends traps to IP address 209.218.240.5, and causes the SA8220 
SNMP agent to include the community string, NOC 1 in the trap. 



Other 

Configurable 

SNMP 

Parameters 



NOTE: These 
parameters are also 
configurable in the 
Administration-SNMP 
tab of the GUI interface. 



The following CLI commands are used to display and configure 
general SNMP parameters: 

config sys snmp info 

config sys snmp port <port> 

config sys snmp sysContact <string> 

config sys snmp sysName <string> 

config sys snmp sysLocation <string> 

SNMP port is used by the SA8220 SNMP to listen for SNMP 
requests. By default, the SNMP port is 161. The SNMP port can be 
changed to a number between 5020 and 65535, or left at 161. 

sysContact, sysName and sysLocationcorrespondtotheMIB 
variables of the same name in MIB-II. sysContact is the name of 
the administrator of this SA8220. By default, sysContact is 
NULL. sysName is the name of the SA8220. By default, sysName 
contains the hostname of the SA8220. sysLocation indicates 
where the SA8220 is physically located. By default, sysLocation 
is NULL. 
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Notes 
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Software Updates 



This chapter covers the following topics: 



NOTE: For ease of • Upgrading or Updating Your System Software 

reading, all models are „ ... . T ^ ... ^ „ . 

referred to as the SA8220 ' Downloadin § and InstaIlin S the Software 

throughout this 
document. Unless noted 
otherwise, all SA8220 
references refer to all 
models. 
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Updating Your System Software 

Your HP e-Commerce Traffic Director Server Appliance SA8200/ 
SA8220 is shipped with the latest system software installed. After 
initial installation and setup, you may be eligible for, or choose to 
purchase, a software version update or product upgrade. Update and 
upgrade procedures are performed using either the Graphical User 
Interface (please see "Graphical User Interface", Chapter 4) or the 
Command Line Interface (please see "Command Line Interface, 
Chapter 5). This chapter describes how to update or upgrade using the 
CLI. 



Multiple 

Software 

Images 



The SA8220 provides sufficient local storage for up to five software 
images (though at any time, only one image is active and executing). 
You can download and install new software images on the SA8220 
using the CLI command, con fig sys software install. 



Software 
Image Media 



Depending on the circumstances, you may receive your software 
update or upgrade from CD-ROM as part of a new software kit, or 
you can download it from an HP software Web site. In either case, the 
distribution consists of a single large binary file of approximately 50 
MB. The first step in software installation is to place this install image 
file on an ftp server accessible by the SA8220. 



Saving Your 

Current 

Configuration 



Username commands are not valid in configuration files, that is, 
save config and restore config operations do not include 
username data. 

The SA8220 configurations are not, by default, preserved across 
major software updates and upgrades. It is however possible to save 
your existing SA8220 configuration while running your currently 
installed software, and subsequently restore it to your updated 
system. You can save your current configuration with the save 
command. 
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Downloading and Installing the Software 

The process for downloading and installing the software is the same 
whether the image is a version update, product upgrade, or patch. 
After the install file is on an ftp server, use the GUI or the CLI to 
download and install it onto the SA8220. Although it is possible to 
install software while the SA8220 is operating, it is recommended 
that you configure a backup SA8220 before installation to minimize 
your downtime. If no backup is available, it is best to perform 
installation at off-peak times. 

1. To install the image, type this command: 



config sys software install 



NOTE: If you install the 
same image as the 
currently running image, 
the system will 
automatically reboot. 



• If you are installing a software version update, your unit is 
already licensed to execute the update image. If you are 
upgrading from a SA7200 to a SA7220, you need a license key. 
Contact HP Customer Support to obtain a key. 

• You need the ftp server's hostname, a user name, password, and 
the image's filename. 

2. When you have these items, type this command from the CLI: 



config sys software install 
Below are some examples of syntax for ftp downloads: 

NOTE: The examples 
shown here are for 
illustrative purposes 
only. Actual inputs will 
be unique to each 
installation. 



config sys software install ftp : //myftpserver/ 

dirl/dir2/install_Pivot . SA8220 . 2 .3.0.0. 221 
user myftpuser password myftppw key AAAA-BBBB- 
CCCC-DDDD 

Status information appears as the installation progresses. If the install 
status information indicates that the installation failed due to an 
incorrect URL, user name, or password information, verify this data 
and reenter the command with the appropriate corrections. 



FTP software update (no key required) 

config sys software install ftp : //myftpserver/ 

dirl/dir2/install_Pivot . SA8220 . 2 .3.0.0. 221 
user myftpuser password myftppw 

FTP software upgrade 



249 



CHAPTER 8 



HP Traffic Director Server Appliances User Guide 



Rebooting with 
the New Image 
and Verifying 
Installation 



As an added security feature, you must be connected to the serial 
console throughout this section. 

After the image has been downloaded and installed, it can be verified 
by way of the CLI command, show sys software info. For 
example, after downloading and installing an update, the response to 
show sys software info might look like the example shown 
below. 



Index Product Version Patch Build Active 



1 


SA8220 


2.4 


0.0 


38 




2 


SA7220 


2.3 


1.0 


40 


Yes 



NOTE: If any errors 
occurred during 
installation, the show 
sys software info 
command may display the 
image as installed, but the 
downloaded image is not 
safe to use. Use conf ig 
sys software 
delete to delete the 
image and repeat the 
installation before 
continuing. If the 
problem persists, contact 
HP Customer Support. 



The data above indicates that version 2.4 of SA8220 software has 
been installed and is ready for service. 

1. Verify your connection to the serial console. 

2. To activate the new image, type this command: 

config sys software boot 1 

This causes the SA8220 to reboot under the new image. This 
command can also be used to restore the previous version of 
software. 
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Upgrading 
Under Serial 
Cable Failover 
Configuration 



NOTE: In this example, 
System A is the failover 
Primary and is online. 
System B is the failover 
Backup and is offline. 



Upgrading software versions on two SA8220s (System A and System 
B) configured for serial cable failover presents a special case. This 
procedure ensures minimum downtime during upgrade. 

1. At System A's run time CLI, type the save command to save its 
current configuration in a file, such as bef oreupgrade . cf g. 

2. At System A's CLI, type this command: 

config sys software install ftp: //url/path_to_ 
install_image user <username> password 
<pas sword> 

This downloads the new image and installs it on System A. 

3. At System B's CLI, type this command: 

config sys software install ftp : //url/path_to_ 
install_image user <username> password 
<pas sword> 

This downloads the new image and installs it on System B. 

4. At System B's CLI, type this command: 

config sys autoboot disable 

This ensures that System B pauses at the Boot Monitor. 

5. Boot System A with the newly installed software image (allow 
System A to boot and enter the Boot Monitor by pressing a key at 
the appropriate prompt during the boot sequence before 
proceeding to the next step). This will force a failover, and 
System B will come online as Backup. 

6. Boot System B with the newly installed software image and 
proceed immediately to step 7. 

7. In the Boot Monitor on System A, type the boot command. 
System A will come online as Primary. Proceed immediately to 
step 8. 

8. At the prompt, type the new root password. This password must 
consist of 8 to 128 characters. 

9. Log on to System A's CLI and restore the previously saved 
configuration file <bef oreupgrade . cf g>. 

10. In the Boot Monitor on System B, type the boot command. 
System B will remain offline as backup. 
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11. At the prompt, type the new password. This password must also 
consist of 8 to 128 characters. 

12. If desired, type the following command in System B's CLI to 
enable autoboot: 

config sys autoboot enable 



252 



A 



Security 
Configuration 



Recommended Security Configuration 

This section describes configuration options to enhance the level of 
protection of your system. For more details, please see "Command 
Line Interface" in Chapter 5. 

1 . If you have not already done so, change the admin password by 
typing the con fig cli username command. 

2. Set security to closed or custom mode typing the conf ig sys 
security mode <closed | custom> command. Closed 
mode restricts administration to the serial port. By default, the 
custom mode enables both SSH and the serial port. You can 
view the current settings of your system typing theconfig sys 
security info command. 
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3. With custom mode access, control lists can be used to further 
enhance administration security by restricting management 
functionality to either your IP or subnet. Type the commands as 
shown below: 

config sys security custom access-control 
enabled 

config sys security custom acl add ip <ip 
address> 

For a subnet entirely under your control, type the following 
command: 

config sys security custom acl add netmask <ip 
address>/<mask length> 

4. If you want to use SNMP, reads and traps should be restricted to 
the specific IP's of logging hosts or administration machines. 
Type the following commands for this purpose. The system must 
be in custom mode and SNMP access must be enabled. 

config sys snmp community delete public ip any 

config sys snmp community delete private ip any 

config sys snmp community create <community 

string> ip <ip address> rights [ro|rw] 

5 . Always remember to save your configuration by typing the s a ve 
<f ilename> command. 
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Obtaining Keys and Certificates 



NOTE: This chapter 
applies to the SA8200/ 
SA8220 only. The SA8220 
comes with default keys 
and certificates for test 
purposes. However, 
certificates for 
production use must he 
obtained from a 
recognized Certificate 
Authority. 



Keys and certificates are necessary for the successful operation of the 
SA8220 for e-Commerce traffic processing. There are three ways to 
obtain them: 

• Obtain a certificate from Verisign* or another Certificate 
Authority (CA) 

• Create a new key or certificate on the SA8220 
The SA8220 supports certificates in PEM format. 
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Copying and 
Pasting Keys 
and 

Certificates 



Copying and pasting is an integral part of the next several procedures. 
Below are steps required to perform these tasks using 
HyperTerminal*. If you use another terminal program, consult that 
product's documentation for the appropriate procedures. 

To copy an item (key, certificate signing request, etc.) from 
HyperTerminal* : 

1 . Open the HyperTerminal* window. 

2. Click and drag to select the item. 

3. After the item is selected, open the Edit menu and click Copy (or 
type <ctrl-c>). 

4. Open the window where you will paste the data, and position the 
cursor at the appropriate point. 

5. In the Edit menu, click Paste (or type <ctrl-v>). 

To paste an item (key, certificate signing request, etc.) into 
HyperTerminal* : 

1 . Display the item in the appropriate application window, then 
click and drag to select the item. 

2. Once the item is selected, click the Edit menu and select Copy 
(or type <ctrl-c>). 

3. Move to the HyperTerminal* window, and position the cursor at 
the appropriate point. 

4. Pull down the Edit menu, and select Paste to Host (or type 
<ctrl-v>). 
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Obtaining a 
Certificate 
from Verisign 
or another CA 



NOTE: Be sure to save 
your configuration after 
creating a key. If the 
configuration is not 
saved, and a power 
outage or factory _reset 
occurs, the unsaved key 
will be lost, rendering the 
certificate invalid. Also, 
for optimal security, one 
or more fields must be 
modified to make the DN 
unique. 4 



Use the policy manager key create command to create your key 
and the key signrequest create command to create a signing 
request to be sent to Verisign or another CA for authentication. The 
CA will return the certificate, but there may be a delay of 1-5 days. 

This method is used when certificate authentication is desired. The 
fields input as part of creating a signing request are called a 
Distinguished Name (DN). 

Procedure 

1. To create a key, type the following command: 

HP SA822 0#conf ig policygroup <name> service 
<name> key create [512 | 1024] 

2. To create the signing request, type the following command: 

HP SA822 0#conf ig policygroup <name> service 
<name> key signrequest create [DN 
parameters] 

Where the optional DN parameters are shown below. 



Element 


Description 


life 


The number of days that the certificate remains 




valid. The default is 30 days. 


name 


The common (server) name 


email 


Your email address 


state 


Your state or province 


organization 


Your company name 


unit 


Your organizational section 


locality 


Your town or city 



3. Use the policy manager key signrequest export 

command to paste or ftp the signing request to another system 
and submit it to the CA. 



4. When returned by the CA, import the certificate into the SA8220. 
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Importing 
Keys into the 
SA8220 



NOTE: Do not interrupt 
the import process. If you 
do interrupt the process, 
delete the key and start 
again. 



The recommended method for importing an existing key is to copy 
the key (a block of ASCII text) from your backup S A8200 key file, 
then paste it into the SA8220's console window when prompted. 

For more details about copying and pasting, please see "Copying and 
Pasting Keys and Certificates" in this appendix. 

To paste in a key: 

1. Type the import command and press <Enter>. 
The CLI prompts you to paste in the key. 

2. When finished, type three periods ("...") on a separate line, then 
press <Enter>. 

3. When the procedure is complete, you can type info at the 
prompt to verify the key's transfer to the SA8220. 

An alternative method for importing an existing key is to ftp the key, 
as shown below: 



config policygroup <policy-name> service 
<service-name> key 

import [<url> {user <user name>} {password 

<password> } ] 

where ur 1 is a valid URL identifying the private key file to download 
(it must be in the form, ftp : //<host>/<path_name>), user is 
the username, and password is the password. 
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Importing 
Certificates 
into the 
SA8220 

NOTE: Do not interrupt 
the import process. If you 
do interrupt the process, 
delete the certificate and 
start again. 



The recommended method for importing an existing certificate is to 
copy the certificate (a block of ASCII text) from your certificate 
server console window, then paste it into the SA8220's console 
window when prompted. 

For more details about copying and pasting, please see "Copying and 
Pasting Keys and Certificates" in this appendix. 

To paste in a certificate: 

1. Type the import command and press <Enter>. 
The CLI prompts you to paste in the certificate. 

2. When finished, type three periods ("...") on a separate line, then 
press <Enter>. 

3. When the procedure is complete, you can type info at the 
prompt to verify the certificate's transfer to the SA8220. 

An alternative method for importing an existing certificate is to ftp 
the certificate, as shown below: 

config policygroup <name> service <name> key 
certificate import [<url> user <username> 
password <password>] 

where url is a valid URL identifying the certificate file to download. 
(It must be in the form ftp : //<host>/<path_name>), user is 
the username, and password is the password. 
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Creating a new 
Key/Certificate 
on the SA8220 



NOTE: For optimal 
security, one or more 
fields must be modified to 
make the DN unique. 



NOTE: Alternatively, 
default DN parameters 
can be specified using the 
config ssl dn 
command. This allows 
recurring parameters to 
be specified once and 
then reused for multiple 
certificates. 



Use the policy manager key create and key create 
certificate commands to create new keys and certificates for 
SA8220 operation. This procedure can be used when there are no 
existing keys and certificates on the server. The advantage is that this 
method is very fast, but a CA has not signed the certificates. This 
means that users will have to explicitly accept the certificate the first 
time they connect to your site. 

The fields input as part of creating a certificate are called a 
Distinguished Name (DN). 

Procedure 

1. To create a key, type this command: 

HP SA8220#conf ig policygroup <name> service 
<name> key create [512 | 1024] 

2. To create a certificate, type this command: 

HP SA8220#conf ig policygroup <name> service 
<name> key create certificate [DN 
parameters] 

Where the optional DN parameters are shown below. 
Parameter Description 

life The number of days that the certificate remains 

valid. The default is 30 days. 



name 



The common (server) name 



email 



Email address 



state Your state or province 



organization 


Your company name 


unit 


Your organizational section 


locality 


Your town or city 
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Using Global 
Site 

Certificates 



Overview 

The export versions of Internet Explorer and Netscape 
Communicator initiate an SSL connection to the SSL server to use 
40-bit encryption, even though the browser is capable of 128-bit 
encryption. The server responds to the browser with a digital 
certificate. If the certificate is not a global site certificate, both the 
browser and server will continue the SSL handshake and use the 40- 
bit key to encrypt application data. If the certificate is a global site 
certificate (GSC), however, the client will terminate the previous SSL 
handshake and renegotiate the connection to use 128-bit encryption. 

A GSC is normally signed by an intermediate certificate authority 
(CA), just like traditional certificates. The intermediate CA is either 
Microsoft SGC Root, or Verisign Class 3 CA. These are called 
chained certificates. When the browser gets the certificate from the 
server along with the intermediate CA, it will verify the certificate, 
the intermediate CA, and the root CA to determine the GSC 
capability. The root CA is normally installed in the browser, but not 
the intermediate CA. So the SA8220 should be able to send both the 
certificate and the intermediate CA. 



Using the CLI 

If the certificate is not a global site certificate, the customer will only 
need to import the certificate. If it is a global site certificate, the 
customer has to import both the certificate and the intermediate CA 
so that the CA is the last in the chain. 

Type the import certificate command to import a certificate 
or chained certificates. If the certificate is signed by a CA, paste the 
CA after the certificate. If the CA is signed by another CA, paste the 
CA after the signed CA, and so on. Here is an example: 

HP SA8220/ con fig/ policygroup/test / service/ test/ 
key /cert if icate#import 

When you type or paste in data, you must end the data entry with three 
periods (...) alone on a line. This displays the command prompt. 
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NOTE: There must be no 
white space before, 
between, or after 
certificates, and the 
"Begin... " headers and 
"End... " trailers must all 
be retained. 



An example of a certificate is shown below: 



MIIFZTCCBM6gAwIBAgIQCTN2wvQH2CK+rgZKcTrNBzANBgkq 
hkiG9wOBAQQFADCBu jEf MB0GAlUEChMWVmVyaVNpZ2 4gVH Jl 
c3QgTmV0d2 9yazEXMBUGAlUECxMOVmVyaVNpZ2 4sIEluYy4x 
MzAxBgNVBAsTKlZlcmlTaWduIEludGVybmF0aW9uYWwgU2Vy 



BEGIN CERTIFICATE 



dmVy IENBIC0gQ2xhc3MgMzF JMEcGAlUECxNAd3d3LnZlcmlz 
aWduLmNvbS9DUFMgSW5 jb3 JwLmJ5IFJlZi4gTElBQklMSVRZ 
IExURC4oYyk5NyBWZXJpU21nb j AeFwO 50TExMTEwMDAwMDBa 
Fw0wMDExMTAyMzU5NTlaMIHHMQswCQYDVQQGEwJVUzETMBEG 

END CERTIFICATE 

BEGIN CERTIFICATE 

MIIEMTCCA5qgAwIBAgIQI2yXHivGDQv5dGDe8Q jDwzANBgkq 
hkiG9wOBAQIFADBfMQswCQYDVQQGEw JVUzEXMBUGAlUEChMO 
VmVyaVNpZ24 sIEluYy4xNzAlBgNVBAsTLkNsYXNz IDMgUHVi 
bGl jIFByaWlhcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkw 
HhcNOTcwNDE3MDAwMDAwWhcN 



OTk3IFZlcmlTaWduMA0GCSqGSIb3DQEBAgUAA4GBALiMmMMr 
SPVy zWgNGrNO Y7uxWLaYRSLsEY3HT jOLYloh JGyawEK0Rak6 
+2fwkb4YH9VIGZNr jcs3S4bmf Zv9 jHiZ / 4PC/NlVBp4xZkZ 9 
G3hg9FXUbFXIaWJwfE22iQYFm8hD j swMKNXR jMlGUOMxlmaS 
ESQeSltLZ151VR5fN5qu 
END CERTIFICATE 

Certificate successfully imported 

HP SA8220/ con fig/ policygroup/test / service/ test/ 

key/ certif icate# 

In this example, two certificates are imported: the certificate and then 
the CA certificate. Together these two certificates will cause a step- 
up in the encryption to RC4-128 bit RSA. No special command or 
handling is required to paste these two certificates as long as they are 
pasted in this order. 
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Generating a Client CA 



NOTE: To acquire a 
copy of OpenSSL* for 
your environment, access 
the OpenSSL website at 
http://www.openssl.org. 



NOTE: The DN 

information typed in step 
5 must differ from the DN 
information typed in step 
6. 



This procedure shows how to generate a client CA using OpenSSL: 

1 . Create a working directory where all the keys and certificates 
will be stored. 

2. Copy the file opens si . cnf from the openSSL source directory. 

3. Create a private key by typing this command: 

openssl genrsa -out key. pern 1024 

4. Create another private key by typing this command: 

openssl genrsa -out ca_key.pem 1024 

5. Now generate the client CA by typing this command: 

openssl req -new -x509 -config openssl. cnf -key 
ca_key.pem -out ca_cert.pem 

6. Generate the client certificate signing request by typing this 
command: 



openssl req -new -config openssl. cnf -key 
key . pern -out csr.pem 

7. Sign the client certificate request by typing this command: 

openssl x509 -req -CAcreateserial -CAkey 

ca_key . pern -CA ca_cert.pem -in csr.pem -out 
cert .pern 

8. Combine the key . pern and cert . pem keys into one file by 
typing this command: 

cat key. pem cert. pem > all. pem 

9. Convert to pl2 format by typing this command: 

openssl pkcsl2 -export -in all. pem -out 
<file>.pl2 -name "MY NAME" 

The output file <file>.pl2 will be imported into the browser 
as a personal certificate. 
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Generating a CRL 



NOTE: To acquire a 
copy ofOpenSSLforyour 
environment, access the 
OpenSSL website at 
http://www.openssl.org. 

NOTE: Most of these 
commands use the 
openssl.cnf file. Make 
sure the information 
presented in this file is 
accurate and that it 
reflects the directory 
structure used. Filenames 
and directory names are 
both important for these 
commands to work 
properly. For more 
information on how to use 
openssl, visit http:// 
www.openssl.org. 



This procedure shows how to generate a Certificate Revocation List 
(CRL) using OpenSSL: 

1 . If you have not already done so, create a working directory where 
all the keys and certificates will be stored. 

2. If you have not already done so, copy the file openssl . cnf 
from the openSSL source directory. 

3. Create a private key for the SA8220 CA certificate by typing this 
command: 

openssl genrsa -out ca_key.pem 1024 

4. Create the CA certificate SA8220 by typing this command: 

openssl req -new -x509 -config openssl.cnf -key 
ca_key.pem -out ca_cert.pem 

5. Import this file to the SA8220. 

6. Create a private key for the signing request by typing this 
command: 

openssl genrsa -out clientkeyl . pem 1024 

7. Generate a signing request by typing this command: 

openssl req -new -config openssl.cnf -key 
clientkeyl . pem -out client request 1 . pem 

8. Repeat steps (6) and (7) above for each additional client 
certificate, incrementing clientrequestl .pem by one digit 
each time. 

9. Sign all the requests generated above by typing this command: 

openssl ca -keyfile ca_key.pem -cert ca_cert.pem 
-infiles clientrequestl .pem clientrequest2 . pem 
clientrequest3 . pem . . . 

10. For all client certificates, create a CRL by typing this command: 

openssl ca -gencrl -out crl.pem 

11. Import this file to the SA8220. 
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12. Combine the clientkeyl.pem and cert.pem files into one file by 
typing this command: 

cat clientkeyl.pem cert.pem > all. pern 

13. Convert to pl2 format by typing this command: 

openssl pkcsl2 -export -in all. pern 
-out <file>.pl2 -name "MY NAME" 

Revoking a Certificate 

1. To revoke a certificate, type this command: 

openssl ca -revoke clientcertif icate .pern 

2. Generate a new CRL to incorporate the revoked certificate by 
typing this command: 

openssl ca -gencrl -out crl.pem 

Using Ciphers with the SA8220 

The SA8220 only supports RSA key exchange and authentication. 
Diffie-Hellman (including Anonymous and Ephemeral) key 
exchange/authentication and DSS authentication are not supported. 

Use the set cipher command to specify the cipher. The command 
prompts you for the cipher strength, as shown below. 



Element 


Description 


All 


All supported ciphers 


High 


All ciphers using Triple-DES 


Medium 


All ciphers with 128 bit encryption 


Low 


All low strength ciphers (no export, single DES) 


Export 


All export ciphers 



The default cipher value is all supported ciphers (both SSLv2 and 
SSLv3). 
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The table below provides ciphers supported by the SA8220. Notice 
that the export version of the software supports only the ciphers 
marked "E" in the Profile column. 



Cipher Name Proto- Key Authen- Encryp- Message Profile 

col Exchange tication tion (key Authenti- (Hi/ 











size) 


cation 
(MAC) 


Med/ 
Low/ 
Export) 


DES-CBC3-SHA 


SSLv3 


RSA 


RSA 


3DES(168) 


SHA1 


H 


IDEA-CBC-SHA 


SSLv3 


RSA 


RSA 


IDEA(128) 


SHA1 


M 


RC4-SHA 


SSLv3 


RSA 


RSA 


RC4(128) 


SHA1 


M 


RC4-MD5 


SSLv3 


RSA 


RSA 


RC4(128) 


MD5 


M 


DES-CBC-SHA 


SSLv3 


RSA 


RSA 


DES(56) 


SHA1 


L 


DES-CBC3-MD5 


SSLv2 


RSA 


RSA 


3DES(168) 


MD5 


H 


IDEA-CBC-MD5 


SSLv2 


RSA 


RSA 


IDEA(128) 


MD5 


M 


RC2-CBC-MD5 


SSLv2 


RSA 


RSA 


RC2(128) 


MD5 


M 


RC4-MD5 


SSLv2 


RSA 


RSA 


RC4Q28) 


MD5 


M 


RC4-64-MD5 


SSLv2 


RSA 


RSA 


RC4(64) 


MD5 


L 


DES-CBC-MD5 


SSLv2 


RSA 


RSA 


DES(56) 


MD5 


L 


EXP-DES-CBC-SHA 


SSLv3 


RSA (512) 


RSA 


DES(40) 


SHA1 


E 


EXP-RC2-CBC-MD5 


SSLv3 


RSA (512) 


RSA 


RC2(40) 


MD5 


E 


EXP-RC4-MD5 


SSLv3 


RSA (512) 


RSA 


RC4(40) 


MD5 


E 


EXP-RC2-CBC-MD5 


SSLv2 


RSA (512) 


RSA 


RC2(40) 


MD5 


E 


EXP-RC4-MD5 


SSLv2 


RSA (512) 


RSA 


RC4(40) 


MD5 


E 
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HTTP Header Information 



NOTE: Only the 
SOURCE_IP parameter 
is supported by the 
SA7200 and SA7220. 



The SA8220 includes the client IP address and current encryption 
information in the HTTP request sent to the server. This information 
is provided below. 



Tag 



Value 



HP_CLIENT_ 
CERTIFICATE 



The client certificate in ASCII. 



HP_CIPHER_USED The cipher suite for the connection. 

For example: DES-CBC-SHA 



HP. 


_SOURCE_IP 


The client's IP address in ASCII. 






For example: 209.249.194.100 


HP. 


_SSL_SESSION_ID 


The SSL session ID in ASCII. 






For example: 8273A4F348EFF90 



To set up the header-certificate, follow these steps: 

1 . Verify header is enabled at the service level by typing "info" at 
the prompt, as follows: 

config policygroup <policygroup name> service 
<service name> info 

2. By default, header-certificate is enabled. If it is not enabled, 
enable it, as follows: 



config policygroup <policygroup name> service 
<service name> header enable 

3. Enable header-certificate as follows: 



config policygroup <policygroup name> service 
<service name> key client-ca header-certificate 
enable 

4. Be default, header-certificate is disabled. 

5. For more information on header- certificates, please see "HTTP 
Header Option Fields" in Chapter 2, and "config policygroup 
service key client-ca header-certificate", in Chapter 5. 
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Failover Method 
Dependencies 



Failover Modes 



NOTE: For ease of 
reading, all models are 
referred to as the SA8220 
throughout this 
document. Unless noted 
otherwise, all SA8220 
references refer to all 
models. 



The failover modes are described below. 



Failover 


Description 


Mode 




Disabled 


No failover method is selected 


Serial Cable 


An "out-of-band" failover mode that uses the 


Failover 


serial cable to share both configuration and 




failure status 


Routed 


An "in-band" failover mode that employs routing 


Failover 


protocols 
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The table below illustrates feature availability under different 
failover modes. 



Failover Feature Single Dual Interface Dual Dual Interface 

Mode Interface Interface with "inside" 

with with and "outside" 

"outside" "outside" routers (3) 

router router 



Serial 
Cable 
Failover 
OR 

Disabled 



VIP ARPing 


Only on 

same 

subnet 


Same subnet, 
only on 
"outside" 


Same subnet, 
only on 
"outside" 


Same subnet, only 
on "outside" 


DHCP 


Not with 
"Serial" 


No 


No 


No 


HOT 


Yes 


Yes 


Yes 


Yes (5) 


HOT and SAP 


Yes (1) 


Yes (1) 


Yes (1) 


Yes (1) (4) 


OPR 


Yes (needs 
router) 


N/A 


Yes 


No 


RICH 


Yes 


Yes 


Yes 


Yes (5) 


RICH and 


Yes (1) 


Yes (1) 


Yes (1) 


Yes (1) (4) 



SAP 



Routed VIP ARPing No (uses Requires router No (uses Same subnet, only 

loopback) loopback) on "outside" 



DHCP 


Yes 


Requires router 


No 


No 


HOT 


Yes 


Requires router 


Yes 


Yes (5) 


HOT and SAP 


No 


Requires router 


Yes (1) 


Yes (1) (4) 


OPR 


No 


Requires router 


No 


No 


RICH 


Yes 


Requires router 


Yes 


Yes (5) 


RICH and 


No 


Requires router 


Yes (1) 


Yes (1) (4) 



SAP 
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Failover 
Mode 



Feature 



Single 

Interface 

with 

"outside" 
router 



Dual Interface 



Dual 

Interface 

with 

"outside" 
router 



Dual Interface 
with "inside" 
and "outside" 
routers (3) 



Serial 
Cable 
Failover 
AND 



VIP ARPing 


N/A 


Same subnet, 
only on 
"outside" 


N/A 


Same subnet, only 
on "outside" 


DHCP 


No 


No 


No 


No 


HOT 


Yes 


Yes 


Yes 


Yes (5) 


HOT and SAP 


Yes (1) 


Yes (1) 


Yes (1) 


Yes (1) (4) 


OPR 


Yes 


N/A 


Yes 


No 


RICH 


Yes 


Yes 


Yes 


Yes (5) 


RICH and 


Yes (1) 


Yes (1) 


Yes (1) 


Yes (1) (4) 



SAP 



Notes for the table above: 

1 . SAP only works if the default gateway = S A8220. 

2. The offline SA8220's routed mode is inactive. 

3. Server(s) are on the other side of the inside router. 

4. SAP only works if inside router has a default route to the 
SA8220. 

5. The router must have static routes from brokered subnet to 
server-side subnet. 
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D 



Configuring Out-of- 
Path Return 



Configure OPR for Windows* 2000* 

SGt the 1- P rom the Start menu, click Settings. 

LOOpbaCk 2. Open the Control Panel, as shown in the following figure. 

NOTE: For ease of 
reading, all models are 
referred to as the SA8220 
throughout this 
document. Unless noted 
otherwise, all SA8220 
references refer to all 
models. 
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I Control Pinel 



| File | Edit | View | Favorites | Tools | Help" 



3a1|[T[laB 



Address |© Control Panel 



Accessibility Options 
^]Add/Remove Programs 
:^CSNW 

^Desktop Themes 
JjFolder Options 
/(.Game Controllers 
^Internet Options 
JgKeyboard 
Mouse 

Phone and Modern Options 
^Printers 
^RealPlayer 
^Scanners and Cameras 
^Sounds and Multimedia 
^System 
BlWindowElinds 



(^Administrative Tools 

Date/Time 
glDisplay 

Fonts 
JijjlconPackager 
^Java Plug-in 1.3,0_01 
^jjMail 

^Network and Dial-up Connections 
Sjj^Power Options 
§ QuickTime 
^Regional Options 
^Scheduled Tasks 
^Symantec LiveUpdate 
^Users and Passwords 
j*Wireless Link 



jlnstallSj removes, and troubleshoots h.| 



Windows 2000 Control Panel 



3. Double-click A dd/Remove Hardware. 

4. The Add/Remove Hardware Wizard appears, as show below. 
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Welcome to the Add/Remove 
Hardware Wizard 



This wizard helps you add. remove, unplug, 
troubleshoot your hardware. 



and 




Add/Remove Hardware Wizard 



5. Click Next to bring up the Choose a Hardware Task screen, as 
shown in the next figure. 
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Choose a Hardware Task Screen 



6. Select Add/T roubleshoot a device. 

7. Click Next to bring up a Devices list, as shown in the following 
figure. 
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' Add Ale move Hardware Wizard 



Choose a Hardware Device 

Which hardware device do you want to troubleshoot? 



I 



he following hardware is already installed on your computer. If you are having problems 
with one of these devices, select the device, and then click Next. 

you are attempting to add a device and it is not shown below, select Add a new 

dr-i'Tr -artd MutTi did fJr«l 









- 


HAdd a new device 




^■S Microsoft AC Adapter 






ACPI Fined Feature Button 






<^NeoMagic MagicMedia 25GAV NMA2 Codec (WDM) 






^Standard Game Port 






m .\ Programmable interrupt controller 

JMl Suarsm Hmpr 







Devices List 



8. Highlight Add a new device. 

9. Click Next to bring up the Find New Hardware screen, as shown 
in the next figure. 
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■xi.ujj.j.j.yj.niiujii.iiij.i 



Find New Hardware 

Windows can also detect hardware that is not Plug and Play compatible. 



When Windows detects new hardware, it checks the current settings for the device 
and installs the correct driver. 



want Windows to search for your new hardware? 
O Ves, search for new hardware 
l No, I want to select the hardware from a list 



Cancel 



Find New Hardware Screen 



10. Select No to search for new hardware. 

1 1 . Click Next to bring up the Hardware Type screen, as shown in the 
next figure. 



278 



APPENDIX D 



Configure OPR for Windows* 2000* 




12. Click Network Adapters. 

13. Click Next to bring up the Select Network Adapter screen, as 
shown in figure. 
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14. Under Manufacturers, scroll down to Microsoft. 

15. Under Network Adapter, select Microsoft Loopback Adapter. 

16. Click Next to bring up the Start Hardware Installation screen, as 
shown in the next figure. 
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I Add Ale move Hardware Wizard 



Start Hardware Installation 

Windows is ready to install drivers for your new hardware. 




ji jl Microsoft Loopback Adapter 

Windows will use default settings to install the software for this hardware device. To 
install the software for your new hardware, click Next. 













< Back Next > 


Cancel 













Start Hardware Installation Screen 



17. Click Next to bring up the Completing the Add/Remove 
Hardware Wizard screen, as shown below. 
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Addrttemove Hardware Wizard ! 


r— n 


f"*n m nl fiti n n the* AHH/R m n\sc* 




Hardware Wizard 




The following hardware was installed: 




Microsoft Loopback Adapter 




'W'indows has finished installing the software for this device. 




To close this wizard, click Finish. 


- y^i- [ 



Completing the Add/Remove Hardware Wizard Screen 

18. Click Finish. 

19. To configure the Loopback, open the Control Panel, as shown in 
the next figure. 
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Control Panel 



File | Edit | View | Favorites | Tools | Help 



1 1 1 l^lll U U In^t, 


lEaSHlSEBHEil 




1 Address |£J Control Panel 




Ell ^ Go 


^Accessibility Options 


[^Add/Remove Hardware 




^] Add/Remove Programs 


fa] Administrative Tools 






Date/Time 




^Desktop Themes 


^ Display 




JjFolder Options 


Gl\ Fonts 




^Garne Controllers 


£iji|IconPackager 




^"Internet Options 


^Java Plug-in 1.3.0_01 




^Keyboard 


^Mail 




^ Mouse 


^Network and Dial-up Connections^ 


^ Phone and Modem Options 


^Power Options 




^Printers 


^ QuickTime 




^RealPlayer 


^Regional Options 




^Scanners and Cameras 


^Scheduled Tasks 




^Sounds and Multimedia 


^Symantec LiveUpdate 




3 System 


^Users and Passwords 




^] WindowBlinds 


^Wireless Link 





Windows 2000 Control Panel 



20. Double-click the Network and Dial-up Connections icon to bring 
up the next screen, shown in the next figure. 
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Network and Dial- 
up Connections 


Folsom TollH.ee (US) D 

Haifa (Israel) D 
Haifa . 1 rael) D 


z 






Kclim (Malaysia) D 
Kulim Tollfree (Malaysia) D 
Lachish (Israel) D 
Lachish Tollfree (Israel) D 




sconnected Lucent win Modlm System 

W lis:. 1 




Malaysia Tollfree D 
Manila (Philippines) D 
Manila Globelines (Metro) D 
Milan Tollfree (Italy) D 
Munich (Germany) D 
Munich Tollfree (Germany) D 
Nehher lands Tollfree (IPA) D 

Oregon L (US) D 








-j ' D 
Oregon2 Tollfree (US) D 
Osaka (Japan) D 
Osaka Tollfree (Japan) D 
Paris (France) D 
Penang (Malaysia) D 
PenangTellf.ee (Malaysia) D 







Network and Dial-up Connections Screen 



21. Highlight Local Area Connection 2 (the Loopback Adapter). 

22. From the menu bar, select File I Properties to bring up the 
Properties screen, as shown in the next figure. 
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Local Area Connection 2 Properties 



General | Sharing 
Connect using: 



SjjJ Microsoft Loopback Adapter 



Components checked are used by this connection: 



Configure 



Client for Microsoft Networks 



Dj§J Network Load Balancing 
^ File and Printer Sharing for Microsoft Networks 

Network Monitor D river 

iJ I ► 



Install 



Uninstall 



Properties 



- Description — 

Allows your computer to access resources on a Microsoft 
network. 



it 



I Show icon in taskbar when connected 



OK 



Cancel 



Location Area Connection 2 Properties Screen 



23. Scroll down to Internet Protocol (TCP/IP), as shown in the next 
figure, and double-click. 
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Local Area Connection 2 Properties 



General | Sharing 
Connect using: 



B$ Microsoft Loopback Adapter 



Components checked are used by this connection: 



Configure 



* i^File and Printer Sharing for Microsoft Networks 
0^ Network Monitor Driver 



Install 



Uninstall 



Properties 



- Description — 

Transmission Control Protocol/Internet Protocol. The default 
wide area network protocol that provides communication 
across diverse interconnected networks. 



I Show icon in taskbar when connected 



OK 



Cancel 



Select Internet Protocol (TCP/IP) 



24. The Internet Protocol (TCP/IP) Properties screen appears, as 
shown in the next figure 
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Internet Protocol (TCP/IP) Properties 



\*1 



General | 

You can get IP settings assigned automatically if your network supports 
this capability. Otherwise, you need to ask your network administrator for 
the appropriate IP settings. 



i Obtain an IP address automatically 
-(* Use the following IP address: — 
IP address: 
Subnet mask: 
Default gateway: 



10.6.1 .180] 



255 . 255 . 255 . 0 



C Obtain DNS server address automatically 
-(*" Use the following DNS server addresses: - 
Preferred DNS server: | 
Alternate DNS server: 



Advanced.. 



OK 



Cancel 



Internet Protocol (TCP/IP) Properties Screen 



25. In the IP address field, type the Virtual IP (VIP) address of the 
SA8220. 

26. In the Subnet Mask field, type the subnet mask appropriate for 
your environment. 

27. Leave the Default Gateway field blank. 

28. Click OK. 

29. Reboot the computer. 
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Configure OPR for Windows* NT 



Set the 
Loopback 



NOTE: OPR is not 

available for SSL- 
enabled services. 



1. From the Start menu, click on Settings, then open the Control 
Panel. 

2. The Control Panel appears, as shown below. 



Up 


X ft a, 

Cut Copy Paste 


Undo 


X 

Delete 


Address |^j Control Panel 




d 



m m 

dd/Rern. 
'rograrn; 

.41--. i F^U 



Accessib.,, Add/Rern... Console Date/Time Devices Display Find Fast Fonts HCL Inetd 
Options Programs 



Fonts 

e"e % »| 



Internet Joystick Keyboard Mail Moderns Mouse MS DTC Multimedia 
Options 



luickTim 

fie 



ODBC Data PC Card Ports Printers QuickTime RealPlayer Regional SCSI Server 
Sources (PCMCIA) Settings Adapters 



Services Sounds System Tape TBS Telephony UPS 

Devices Montego... 



J 



Windows NT Control Panel 



3. Double-click on the Network icon. 

The Network dialog appears, as shown in the next figure. 
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Network 



Identification | Services) Protocols Adapters | Bindings] 
Network Adapters: 



? x 




Add. 



j Remove | Properties... | Update j 



Item Notes: 



3Com EtherLink 10/100 PCI For Complete PC Management NIC 
l(3C905C-TX) 



Network Adapter Setting 



4. Click the Adapters tab. 

5. Click Add. 

The Select Network Adapter dialog appears, as shown in the next 
figure. 
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Select Network Adapter 



? x 



Click the Network Adapter that matches your hardware, and then 
click OK. If you have an installation disk for this component, click 
Have Disk. 



Network Adapter: 



Madge Smart 16/4 PCI Ringnode BM 
M icrodyne N E 1 0/1 00 PCI Adapter 
4j)MicroGate SyncLink Internet Adapter 

— 

in? NCR StarLAN 16/4 Token-Ring Adapter 
B!!1m^„™l ^. l.. i. -. mm ato 



"3 



Have Disk.. 



□ K 



Cancel 



Choosing the MS Loopback Adapter 



6. From the Network Adapter list, select MS Loopback Adapter 
and click OK. 

The MS Loopback Adapter Card Setup dialog appears, as shown 
in the next figure. 



MS Loopback Adapter Card Setup 




Adapter Card Setup 
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7. Choose the default Frame Type (802.3) and click OK. 

If the necessary files are not found on your system, the Windows 
NT Setup dialog appears, as shown in the next figure. 



Windows NT Setup 



Setup needs to copy some Windows NT files. 

Setup will look for the files in the location specified below. 
If you want Setup to look in a different place, type the 
new location. When the location is correct, click 
Continue. 



Continue 



Cancel 



| HMMM 



Copying Windows NT Files 



8. If necessary, specify where Windows NT can find the files and 
click Continue. 

The files will load on your system, and the MS Loopback 
Adapter appears in the Network Adapters list, as shown in the 
next figure. 
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Network 



? x 



Identification | Services] Protocols Adapters | Bindings | 
Network Adapters: 



I [1 ] 3Com EtherLink 1 0/1 00 PCI NIC (3C905C-TX) 



Add... 


Remove j 


Properties... | 





Item Notes 





Cancel 





MS Loopback Adapter Installed 

9. Click the Protocols tab. 

The protocol settings appear, as shown in the next figure. 
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Network 



Identification | Services Protocols | Adapters | Bindings | 
Netv 




T~ NetBEUI Protocol 




If* Point To Point Tunneling Protocol 


[■TCP/IP Protocol TWll 












Add... 


Remove 


Properties... 


j 



■Description: — 

Transport Control Protocol/Internet Protocol. The default wide 
area network protocol that provides communication across 
diverse interconnected networks. 



Close 



Cancel 



Protocol Settings 



10. From the Network Protocols list, click TCP/IP Protocol. 

1 1 . Click Properties. . . . 

The Microsoft TCP/IP Properties dialog appears, as shown in the 
next figure. 
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Microsoft TCP/IP Properties 



? x 



IP Address | DNS ] WINS Address j Routing] 



An IP address can be automatically assigned to this network card 
by a DHCP server. If your network does not have a DHCP server, 
ask your network administrator for an address, and then type it in 
the space below. 



Adapter: 



I [3] MS Loopback Adapter 



3 



<~ Obtain an IP address from a DHCP server 
(• Specify an IP address — 
IP Address: | 10 . 1 . 2 .102 
Subnet Mask: | 255 .0.0.0 
Default Gateway: | 



Advanced.. 



OK 



Cancel 



Apply 



Setting the TCP/IP Properties 



12. From the Adapter pull-down menu, select the MS Loopback 
Adapter. 

13. Click Specify an IP address. 

14. In the IP address field, type the Virtual IP (VIP) address of the 
SA8220. 

15. In the Subnet Mask field, type the subnet mask appropriate for 
your environment. 

16. Leave the Default Gateway field blank. 

17. Click Apply. 

18. Click OK. 

19. Reboot the computer. 
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NOTE: If you cannot 
find Microsoft Internet 
Server ( Common), you do 
not have IIS running on 
your server. Install IIS 
3.0 and start this 
procedure again. 



Run a Web Service on the Loopback Interface 
Using IIS 3.0 

1 . From the Start menu, click Programs and then Microsoft 
Internet Server ( Common) to run the Internet Service Manager. 

2. After the Microsoft Internet Service Manager console appears, 
double-click the WWW service. 

The WWW Service Properties for <machine-name> dialog 
box appears, where <machine-name> is the name of your 
system. 

3. In the TCP Port field, type the port number of the OPR service 
on the SA8220. 

4. Select the Directories tab and click Add. 
The Directory Properties appears. 

5. Browse and click to select the home directory for the server. 

6. Click the Home Directory check box. 

7. Click the Virtual Server check box, and in the text field provided 
type the VIP that was aliased on the loopback (please see "Set the 
Loopback" in Appendix F). 

8. Click Ok. 

9. Add the server to the SA8220. 
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NOTE: If you cannot 
find Internet Service 
Manager, you do not have 
IIS running on your 
server. Download and 
install the Option Pack, 
then start this procedure 
again. 



Run a Web Service on the Loopback Interface 
Using IIS 4.0 

1 . From the Start menu, click Programs, click Windows NT 4.0 
Option Pack, and then click Microsof t Internet Information 
Server. 

2. Run the Internet Service Manager. 

3. After the Microsoft Management Console appears, expand the 
Console Root and then the Internet Information Server nodes. 

4. Right-click Default Web Service or the predefined service for this 
Windows NT server and click the Properties option. 

The <service name> Properties dialog box appears. 

5. In the TCP Port field, type the port number of the OPR service 
on the SA8220. 

6. To save and close this dialog box, click Ok. 

7. From the Internet Information Server node, right-click the 

<machine-name> node. Click New and then click Web Site. 

The New Web Site Wizard starts. 

8. Type the description. 

9. Type the IP, using the SA8220's VIP. 

10. Type the port number, using the service port defined on the 
SA8220. 

1 1 . Browse and click to select the home directory for this service. 

12. Configure the access permissions. 

13. Click Finish. 

The new service now appears under the <machine-name> node 
as a new node. 



14. Start the new service. 
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Configuring OPR for Apache Web Server on a 
UNIX* machine 

This section reproduces the commands required to configure Out-of- 
Path Return for an Apache Web Server on a UNIX* machine. 

ifconfig loO add <vip> or 
ifconfig loO <vip> alias or 
ifconfig loO : 1 <vip> 

1. Add the appropriate command toan/etc/rc file to return this 
configuration at boot time. 

2. Edit the httpd.conf to reflect these settings (these are usually 
found under /var/www/conf /): 

Port <port_number> , 

ServerName <the fully qualified name for this 
server machine> 

3. Configure a virtual service (in the same file, vip is the virtual IP 
configured on the SA8220 to handle OPR): 

<VirtualHost vip> 
ServerName vip 

ServerAdmin admin@mailserver 
DocumentRoot (usually: / var /www/docs ) 
ErrorLog /var /log/httpd/ vip-error_log 
TransferLog /var/log/httpd/ vip-access_log 
# CustomLog /var/log/httpd/ vip-access_log 
combined 
</VirtualHost> 

4. Edit the /var/ www / conf/srm.conf and set document root 
to /var /www/docs . For the Apache server to start at boot 
time, the index.html file must exist. Therefore, in /etc/rc 
verify the following entry: 

if [ -f /var/www/docs / index . html ]; then 

echo -n ' httpd' ; /var/www/bin/ start-apache fi 
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Running Diagnostics 

NOTE: For ease of This section describes the available diagnostic information and in- 

reading, all models are field diagnostics. 

referred to as the SA8220 

throughout this 

document. Unless noted 

otherwise, all SA8220 

references refer to all 

models. 
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Diagnostic 
LEDs 



The front panel's LEDs provide information generated by the boot- 
time power-on-self-test (POST) and application restart sequences. 
There are four LEDs on the front panel, as shown below. 



Power 



Status 



Act 1 



Act 2 



Diagnostic LEDs 



Power Indication 

The front panel Power LED connects directly to the unit's power 
supply. If the Power LED is not illuminated, power is not connected 
to the unit, or the unit's power supply has failed. 
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Boot-time LED Diagnostics 

The front panel's Status, Act 1 and Act 2 LEDs display the transition 
through a sequence of codes at boot time indicating the SA8220's 
progress through the boot process. If the boot process aborts, 
terminates, or hangs before the SA8220 is online and functional, the 
state of the LEDs can help in diagnosing the problem. The table 
below describes the restart sequence and conditions. 



Status 


Act1 


Act 2 


Condition 


Off 


Off 


Off 


BIOS boot failed 


On 


Off 


Off 


OS boot process failed 


Off 


On 


Off 


OS boot stage 1 failed 


On 


On 


Off 


OS boot stage 2 failed 


Off 


Off 


On 


OS boot stage 3 failed 


On 


Off 


On 


Application never started up 


Off 


On 


On 


Application restart stage 1 failed 


On 


On 


On 


Application restart stage 2 failed 



After restart completes, the Status LED begins to blink and LED 
activity begins as described in the next section, "Run time LED 
Diagnostics." 



Run time LED Diagnostics 

At run time, the LEDs provide information about unit activity as 
described below: 

Status LED 

• Blinks on and off quickly when serving as the active or 
standalone SA8220. 

• Blinks on and off slowly when configured for serial cable 
failover and serving as the backup SA8220. 

• Continuous on or off indicates a unit that has stopped responding 
(hung). 
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Activity LEDs 

The table below describes the run time behavior of the Activity LEDs 
(Act 1, Act 2). 



Act 1 


Act 2 


Condition 


Off 


Off 


No NIC activity 


Slow blink 


Off 


1 — 100 connections per second 


Fast blink 


Off 


100 — 300 connections per second 


Solid 


Off 


300 — 400 connections per second 


Solid 


Blink 


400 — 600 connections per second 


Solid 


Solid 


600+ connections per second 



Run time Errors 

At run time, the SA8220's health-monitoring processes indicate 
critical error conditions by turning off the Status LED and blinking 
error patterns on the two Activity LEDs. The table below describes 
the run time error indications. 



Status 


Act1 


Act 2 


Condition 


Off 


Off 


Flash 


NIC failure 


Off 


Blink 


Off 


Rich Application Failure 
(applies only when serial cable 
failover is enabled) 


Off 


Blink 


Blink 


Core Application Failure 
(applies only when serial cable 
failover is enabled) 


Blink 


Blink 


Blink 


Health Monitoring Failure 
(each LED lights in sequence) 
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Troubleshooting 

This section contains descriptions of possible difficulties followed by 
possible causes and suggestions for solutions. 

The table below contains the troubleshooting guide for the HP e- 
Commerce Traffic Director Server Appliance SA8200/SA8220, the 
HP Traffic Director Server Appliance SA7200/SA7220. 



Possible Cause Solution 



Problem 



Cannot ping the VIP Route role/protocol 
configuration is 
incorrect. 



Cannot run the GUI DNS name resolution is 
Administrative incomplete, 
interface 



GUI Administrative DNS name resolution is 
interface incomplete, 
initialization fails 



Ensure that the route role and protocol are set 
correctly. Route role must be set to 
"standalone" and protocol must be set to 
"none." 



To run the GUI, the SA8220 must be able to 
resolve its own hostname via DNS, both 
forward and reverse. The client machine on 
which the browser is running must also be able 
to resolve its own hostname using DNS, both 
forward and reverse. 



The client machine's host name must be DNS- 
resolvable by the S A8220. If DNS is not used, 
usetheconfig sys hosts addcommand 
at the CLI to add the client's hostname to the 
SA8220's local host file. The SA8220 also 
needs to be added to the client machine's local 
hosts file. For Windows* NT*, the hosts file is 
located in 

c : \winnt\System32\drivers\etc 
directory. For Solaris*, edit the /etc/ 
nsswitch . conf to allow for local 
resolution. For UNIX*, the hosts file is located 
in /etc. The format of the entry is: <IP> 
<SA8220Name> 

<FullyQualif iedDomainName> 

Example: 10.1.1.2 Broker 1 
Broker 1 . my company . com 
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Problem 



Possible Cause 



Solution 



Slow client response 
from a web server 
through the SA8220 
compared to 
response time 
directly from the web 
server 



Hostname/IP address 
resolution on the server 
may be misconfigured 
or incomplete, causing 
a delay in the server 
response. 



Add the hostname/real IP address of the 
SA8220 to the HOSTS file on the server to 
eliminate any delay in hostname/IP address 
resolution on the server. 



Slow client response 
from a Web server 
through the SA8220 
compared to 
response time 
directly from the 
Web server 


Ethernet link 
configuration needs 
adjustment. 


The SA8220 defaults to auto-negotiate mode 
on the ethernet link. However, some older 
routers may not handle auto-negotiate 
correctly. 


An attempt to 
connect 10 ins v^li 
Administrative 
interface results in 
the message "CLI 


Domain configuration is 

inrniTPrt 01* inrnmnlptp 

111CVJ11CCL VJ1 IIICVJIIIUIC LC. 


Verify that the domain is correct. If it is 

inrnrrppt hqp thf 1 Hn c prvtmnnsinn at thf 1 Root 

111CVJ11CCL, LL&C LUC UllD CVJ 111111 till LI £lL LUC JJVJVJL 

Monitor prompt to re-enter the correct 
information. Reboot the SA8220 and restart 
for changes to take effect. 


not ready." 


DNS resolution is set on 
the SA8220 but is not 
being used at the site. 


If the customer is not using DNS, remove the 
DNS entry by using the dns command at the 
Boot Monitor prompt. 




Corrupted network 
configuration 


Perform "factory _reset" to clear network info 
such as host name, IP address, subnet mask, 
and default gateway. Reboot the SA8220 and 
restart for changes to take effect. 




The SA8220 is 
designated as the backup 
SA8220 in a serial 
failover configuration. 


This message is normal on a SA8220 
designated as the backup for serial failover. 
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Problem 



Possible Cause 



Solution 



Telnet connection to 
CLI on offline 
SA8220 in serial 
fai lover mode does 
not appear to 
connect, or, logon 
prompt does not 
appear immediately. 



DNS resolution is 
incomplete. 



The client machine's host name must be DNS- 
resolvable by the S A8220. If DNS is not used, 
use the config sys hosts add command at the 
CLI to add the client's hostname to the 
SA8220's local host file. The SA8220 also 
needs to be added to the client machine's local 
hosts file. For Windows NT, the hosts file is 
located in 

c : \winnt\System32\drivers\etc 
directory. For Solaris, edit the /etc/ 
nsswitch . conf to allow for local 
resolution. For UNIX, the hosts file is located 
in /etc. The format of the entry is: <IP> 
<SA8220Name> 

<FullyQualif iedDomainName> 



Example: 10.1.1.2 Broker 1 
Broker 1 . my company . com 



Client connects 
directly to the 
fulfillment server, 
bypassing the 

SA8220 



Timing issue with 
routers 



Define a static route for the SA8220 on the 
router. 



Unexpected routing 
behavior 



"Keepalive" option is 
enabled on the 
fulfillment servers when 
configured with the 
sticky option on the 
SA8220. 



Turn off "Keepalive" on the fulfillment servers 
when using the sticky option. 



Only some images 
load when routing in 
RICH-HTTP mode 



"Keepalive" option is 
enabled on the 
fulfillment servers when 
configured for RICH- 
HTTP service on the 
SA8220. 



Turn off "Keepalive" on the fulfillment servers 
when using RICH-HTTP. When "Keepalive" 
is enabled on the fulfillment servers, each GET 
request from the client always returns to the 
same web server. If GIFs are defined on one 
server and JPGs on another, then only one of 
these image types is seen at the client. 
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Problem 



Possible Cause 



Solution 



Client getting 
timeout or "service 
not found" errors 



Proxy servers inhibit use 
of sticky src-ip option. 



Some ISPs use proxy servers to load balance 
client sessions. When the sticky src-ip option 
is enabled and the client's session is switched to 
another proxy server, the source IP address is 
changed. This may cause the SA8220 to route 
the request to a different server. The solution is 
to use the "sticky cookie" option instead of 
"sticky src-ip." In this mode, a cookie is sent to 
the client to force use of the same server 
regardless of the source IP. 



The client is on the same 
subnet as server (SAP 
mode only). This causes 
the server to return the 
response directly to the 
client, bypassing the 
SA8220. The client 
discards the response 
since the destination is 
that of the server and not 
the SA8220. 



Configure the client and server to reside on 
different subnets. 



For OPR configurations, 
the loopback adapter is 
not configured on the 
fulfillment server(s). 



For instructions on configuring the loopback 
adapter on the server(s), please see "Set the 
Loopback" in Appendix D. 



Round Robin Load 
Balancing works 
abnormally 



The directory and/or file 
content of the fulfillment 
servers defined under the 
service is not identical. 



Configure all the servers under the same 
service with the same directory structure and 
file content. 



New TCP connections, This is normal behavior. Multiple components 



not client sessions, are 
assigned to fulfillment 
servers in a round robin 
fashion. 



of a web page (such as HTML and GIFs) 
require separate TCP connections. The 
requests are assigned to the fulfillment servers 
in round robin fashion, although it may not be 
apparent from the browser. 
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Cleaning the Dust 
Filter 



Background 



NOTE: For ease of 
reading, all models are 
referred to as the SA8220 
throughout this 
document. Unless noted 
otherwise, all SA8220 
references refer to all 
models. 



The HP e-Commerce Traffic Director Server Appliance SA8200/ 
SA8220s and HP Traffic Director Server Appliance SA7200/ 
SA7220s each have a dust filter element mounted behind the front 
grille and in front of the dual intake fans. This filter is washable and 
must be cleaned every six months at a minimum. If you use your 
SA8220 in an abnormally dusty environment, clean the filter more 
often. You need not interrupt the S A8220' s operation to perform the 
following cleaning procedure. 
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Dust Filter Cleaning Procedure 

To clean the dust filter, follow the steps below: 

1 . Remove the two Phillips screws that secure the metal grille on 
the left side of the SA8220's front panel. Remove the grille to 
expose the foam filter element. 

2. Remove the foam filter element from its recess. 

3. Replace the grille and its screws while the filter element is being 
cleaned. 

4. Wash the filter in warm water and set aside to dry. 

5. Allow the filter to dry thoroughly before reinstalling in the 
SA8220. 

6. When the filter element is dry, remove the SA8220's front grille 
and replace the filter in its recess, ensuring that its entire 
perimeter is behind the metal lip of the recess. 

7. Replace the grille with its two Phillips screws. 
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Taiwan Class A EMI Statement 



VCCI Class A (Japan) 

zLomwiz, mmmmmwmmmmm&^Mfflt&m^ (vccn vmm 
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VCCI Statement 

Class A ITE 

zommtz* mmmmmm^mmmms±mmmm^ (vccn <»mm 

This is a Class A product based on the standard of the Voluntary 
Control Council for Interference by Information Technology 
Equipment (VCCI). If this equipment is used in a domestic 
environment, radio disturbance may arise. When such trouble occurs, 
the user may be required to take corrective actions. 

WARNING: This is a Class A product. In a domestic environment 
this product may cause radio interference in which case the user may 
be required to take adequate measures. 

Internal access to HP equipment is intended only for qualified service 
personnel. 

Australia 




N-232 
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FCC Part 15 Compliance Statement 

This product has been tested and found to comply with the limits for 
a Class A digital device pursuant to Part 15 of the FCC rules. These 
limits are designed to provide reasonable protection against harmful 
interference when the equipment is operated in a commercial 
environment. 

This product generates, uses, and can radiate radio frequency energy 
and, if not installed and used in accordance with the instruction 
manual, may cause harmful interference to radio communications. 
However, there is no guarantee that interference will not occur in a 
particular installation. If this equipment does cause harmful 
interference to radio or television reception, which can be determined 
by turning this equipment off and on, the user is encouraged to try to 
correct the interference by one or more of the following measures: 

• Change the direction of the radio or TV antenna. 

• To the extent possible, relocate the radio, TV, or other receiver 
away from the product. 

• Plug the product into a different electrical outlet so that the 
product and the receiver are on different branch circuits. 

If these suggestions don't help, consult your dealer or an experienced 
radio/TV repair technician for more suggestions. 

NOTE: This device complies with Part 15 of the FCC Rules. 
Operation is subject to the following two conditions: (1) This 
device may not cause harmful interference, and (2) this device must 
accept any interference received, including interference that may 
cause undesired operation. 

CAUTION: If you make any modification to the equipment not 
expressly approved by HP, you could void your authority to operate 
the equipment. 
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Canada Compliance Statement (Industry 
Canada) 

Cet appareil numerique respecte les limites bruits radioelectriques 
applicables aux appareils numeriques de Classe A prescrites dans la 
norme sur le materiel brouilleur: "Appareils Numeriques", NMB-003 
edictee par le Ministre Canadien des Communications. 

This digital apparatus does not exceed the Class A limits for radio 
noise emissions from digital apparatus set out in the 
interference-causing equipment standard entitled: "Digital 
Apparatus," ICES-003 of the Canadian Department of 
Communications . 



CE Compliance Statement 

This e-Commerce Traffic Director Server Appliance SA8200/ 
SA8220 or Traffic Director Server Appliance SA7200/SA7220 
complies with the EU Directive, 89/336/EEC, using the EMC 
standards EN55022 (Class A) and EN50082-1. This product also 
complies with the EU Directive, 73/23/EEC, using the safety 
standard EN60950. 



CISPR 22 Statement 

WARNING: This is a Class A product. In a domestic environment 
this product may cause radio interference in which case the user may 
be required to take adequate measures. 
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WARNING 

The system is designed to operate in a typical office environment. 
Choose a site that is: 

• Clean and free of airborne particles (other than normal room 
dust). 

• Well- ventilated and away from sources of heat including direct 
sunlight. 

• Away from sources of vibration or physical shock. 

• Isolated from strong electromagnetic fields produced by 
electrical devices. 

• In regions that are susceptible to electrical storms, we 
recommend you plug your system into a surge suppressor and 
disconnect telecommunication lines to your modem during an 
electrical storm. 

• Provided with a properly grounded wall outlet. 

Do not attempt to modify or use the supplied AC power cord if it is 
not the exact type required. 

Ensure that the system is disconnected from its power source and 
from all telecommunications links, networks, or modem lines 
whenever the chassis cover is to be removed. Do not operate the 
system with the cover removed. 
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AVERTISSEMENT 

Le systeme a ete concu pour fonctionner dans un cadre de travail 
normal. L' emplacement choisi doit etre: 

• Propre et depourvu de poussiere en suspension (sauf la poussiere 
norm ale). 

• Bien aere et loin des sources de chaleur, y compris du soleil 
direct. 

• A l'abri des chocs et des sources de ibrations. 

• Isole de forts champs magnetiques geeneres par des appareils 
electriques. 

• Dans les regions sujettes aux orages magnetiques il est 
recomande de brancher votre systeme a un supresseur de 
surtension, et de debrancher toutes les lignes de 
telecommunications de votre modem durant un orage. 

• Muni d'une prise murale correctement mise a la terre. 

Ne pas utiliser ni modifier le cable d' alimentation C. A. fourni, s'il ne 
correspond pas exactement au type requis. 

Assurez vous que le systeme soit debranche de son alimentation ainsi 
que de toutes les liaisons de telecomunication, des reseaux, et des 
lignes de modem avant d'enlever le capot. Ne pas utiliser le systeme 
quand le capot est enleve. 
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WARNUNG 

Das System wurde fur den Betrieb in einer normalen Buroumgebung 
entwickelt. Der entwickelt. Der Standort sollte: 

• sauber und staubfrei sein (Hausstaub ausgenommen); 

• gut geluftet und keinen Heizquellen ausgesetzt sein 
(einschlieBlich direkter Sonneneinstrahlung); 

• keinen Erschutterungen ausgesetzt sein; 

• keine starken, von elektrischen Geraten erzeugten 
elektromagnetischen Felder aufweisen; 

• in Regionen, in denen elektrische Sturme auftreten, mit einem 
Uberspannungsschutzgerat verbunden sein; wahrend eines 
elektrischen Sturms sollte keine Verbindung der 
Telekommunikationsleitungen mit dem Modem bestehen; 

• mit einer geerdeten Wechselstromsteckdose ausgeriistet sein. 

Versuchen Sie nicht, das mitgelieferte Netzkabel zu andern oder zu 
verwenden, wenn es sich nicht um genau den erforderlichen Typ 
handelt. 

Das System darf weder an eine Stromquelle angeschlossen sein noch 
eine Verbindung mit einer Telekommunikationseinrichtung, einem 
Netzwerk oder einer Modem-Leitung haben, wenn die 
Gehauseabdeckung entfernt wird. Nehmen Sie das System nicht ohne 
die Abdeckung in Betrieb. 
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AVVERTENZA 

II sistema e progettato per funzionare in un ambiente di lavoro tipico. 
Scegliere una postazione che sia: 

• Pulita e libera da particelle in sospensione (a parte la normale 
polvere presente nell' ambiente). 

• Ben ventilata e lontana da fonti di calore, compresa la luce solare 
diretta. 

• Al riparo da urti e lontana da fonti divibrazione. 

• Isolata dai forti campi magnetici prodotti da dispositivi elettrici. 

• In aree soggette a temporali, e consigliabile collegare il sistema 
ad un limitatore di corrente. In caso di temporali, scollegare le 
linee di comunicazione dal modem. 

• Dotata di una presa a muro correttamente installata. 

Non modificare o utilizzare il cavo di alimentazione in c. a. fornito 
dal produttore, se non corrisponde esattamente al tipo richiesto. 

Prima di rimuovere il coperchio del telaio, assicurarsi che il sistema 
sia scollegato dall' alimentazione, da tutti i collegamenti di 
comunicazione, reti o linee di modem. Non avviare il sistema senza 
aver prima messo a posto il coperchio. 
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ADVERTENCIAS 

El sistema esta disenado para funcionar en un entorno de trabajo 
normal. Escoja un lugar: 

• Limpio y libre de partfculas en suspension (salvo el polvo 
normal). 

• Bien ventilado y alejado de fuentes de calor, incluida la luz solar 
directa. 

• Alejado de fuentes de vibration. 

• Aislado de campos electromagneticos fuertes producidos por 
dispositivos electricos. 

• En regiones con frecuentes tormentas electricas, se recomienda 
conectar su sistema a un eliminador de sobrevoltage y 
desconectar el modem de las lmeas de telecomunicacion durante 
las tormentas. 

• Previsto de una toma de tierra correctamente instalada. 

No intente modificar ni usar el cable de alimentation de corriente 
alterna, si no se corresponde exactamente con el tipo requerido. 

Asegurese de que cada vez que se quite la cubierta del chasis, el 
sistema haya sido desconectado de la red de alimentation y de todos 
lo enlaces de telecomunicaciones, de red y de lmeas de modem. No 
ponga en funcionamiento el sistema mientras la cubierta este quitada. 
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Wichtige Sicherheitshinweise 

1 . Bitte lesen Sie sich diese Hinweise sorgfaltig durch. 

2. Heben Sie diese Anleitung fur den spatern Gebrauch auf. 

3. Vor jedem Reinigen ist das Gerat vom Stromnetz zu trennen. 
Vervenden Sie keine Flussig- oder Aerosolreiniger. Am besten 
dient ein angefeuchtetes Tuch zur Reinigung. 

4. Um eine Beschadigung des Gerates zu vermeiden sollten Sie nur 
Zubehorteile verwenden, die vom Hersteller zugelassen sind. 

5. Das Gerat is vor Feuchtigkeit zu schutzen. 

6. Bei der Aufstellung des Gerates ist auf sichern Stand zu achten. 
Ein Kippen oder Fallen konnte Verletzungen hervorrufen. 
Verwenden Sie nur sichere Standorte und beachten Sie die 
Aufstellhinweise des Herstellers. 

7. Die Beluftungsoffnungen dienen zur Luftzirkulation die das 
Gerat vor Uberhitzung schutzt. Sorgen Sie dafiir, daB diese 
Offnungen nicht abgedeckt werden. 

8. Beachten Sie beim AnschluB an das Stromnetz die 
AnschluBwerte. 

9. Die NetzanschluBsteckdose muB aus Griinden der elektrischen 
Sicherheit einen Schutzleiterkontakt haben. 

10. Verlegen Sie die NetzanschluBleitung so, daB niemand dariiber 
fallen kann. Es sollete auch nichts auf der Leitung abgestellt 
werden. 

1 1 . Alle Hinweise und Warnungen die sich am Geraten befinden sind 
zu beachten. 

12. Wird das Gerat iiber einen langeren Zeitraum nicht benutzt, 
sollten Sie es vom Stromnetz trennen. Somit wird im Falle einer 
Uberspannung eine Beschadigung vermieden. 

13. Durch die Luftungsoffnungen diirfen niemals Gegenstande oder 
Flussigkeiten in das Gerat gelangen. Dies konnte einen Brand 
bzw. Elektrischen Schlag auslosen. 

14. Offnen Sie niemals das Gerat. Das Gerat darf aus Griinden der 
elektrischen Sicherheit nur von authorisiertem Servicepersonal 
geoffnet werden. 
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15. Wenn folgende Situational auftreten ist das Gerat vom 
Stromnetz zu trennen und von einerqualifizierten Servicestelle zu 
uberpriifen: 

a. Netzkabel oder Netzstecker sint beschadigt. 

b. Fliissigkeit ist in das Gerat eingedrungen. 

c. Das Gerat war Feuchtigkeit ausgesetzt. 

d. Wenn das Gerat nicht der Bedienungsanleitung ensprechend 
funktioniert oder Sie mit Hilfe dieser Anleitung keine 
Verbesserung erzielen. 

e. Das Gerat ist gefallen und/oder das Gehause ist beschadigt. 

f. Wenn das Gerat deutliche Anzeichen eines Defektes aufweist. 

16. Bei Reparaturen durfen nur Orginalersatzteile bzw. den 
Orginalteilen entsprechende Teile verwendet werden. Der 
Einsatz von ungeeigneten Ersatzteilen kann eine weitere 
Beschadigung hervorrufen. 

17. Wenden Sie sich mit alien Fragen die Service und Repartur 
betreffen an Ihren Servicepartner. Somit stellen Sie die 
Betriebssicherheit des Gerates sicher. 

18. Zum NetzanscluG dieses Gerates ist eine gepriifte Leitung zu 
verwenden, Fur einen Nennstrom bis 6A und einem 
Gerategewicht groBer 3kg ist eine Leitung nicht leichter als 
H05VV-F, 3G, 0.75mm2 einzusetzen. 
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Software License 
Agreements 



ATTENTION: USE OF THE SOFTWARE IS SUBJECT TO THE 
HP SOFTWARE LICENSE TERMS SET FORTH BELOW. USING 
THE SOFTWARE INDICATES YOUR ACCEPTANCE OF 
THESE LICENSE TERMS. IF YOU DO NOT ACCEPT THESE 
LICENSE TERMS, YOU MAY RETURN THE SOFTWARE FOR 
A FULL REFUND. IF THE SOFTWARE IS BUNDLED WITH 
ANOTHER PRODUCT, YOU MAY RETURN THE ENTIRE 
UNUSED PRODUCT FOR A FULL REFUND. 



HP SOFTWARE LICENSE TERMS 

License Grant . HP grants you a license to Use one copy of the 
Software. "Use" means storing, loading, installing, executing or 
displaying the Software. You may not modify the Software or disable 
any licensing or control features of the Software. If the Software is 
licensed for "concurrent use", you may not allow more than the 
maximum number of authorized users to Use the Software 
concurrently. 
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Ownership . The Software is owned and copyrighted by HP or its 
third party suppliers. Your license confers no title or ownership and 
is not a sale of any rights in the Software, its documentation or the 
media on which they are recorded or printed. Third party suppliers 
may protect their rights in the Software in the event of any 
infringement. 

Copies and Adaptations . You may only make copies or adaptations 
of the Software for archival purposes or when copying or adaptation 
is an essential step in the authorized Use of the Software on a backup 
product, provided that copies and adaptations are used in no other 
manner and provided further that Use on the backup product is 
discontinued when the original or replacement product becomes 
operable. You must reproduce all copyright notices in the original 
Software on all copies or adaptations. You may not copy the 
Software onto any public or distributed network. 

No Disassembly or Decryption . You may not disassemble or 
decompile the Software without HP's prior written consent. Where 
you have other rights under statute, you will provide HP with 
reasonably detailed information regarding any intended disassembly 
or decompilation. You may not decrypt the Software unless 
necessary for the legitimate use of the Software. 

Transfer . Your license will automatically terminate upon any 
transfer of the Software. Upon transfer, you must deliver the 
Software, including any copies and related documentation, to the 
transferee. The transferee must accept these License Terms as a 
condition to the transfer. 

Termination . HP may terminate your license upon notice for failure 
to comply with any of these License Terms. Upon termination, you 
must immediately destroy the Software, together with all copies, 
adaptations and merged portions in any form. 

Export Requirements . You may not export or re-export the 
Software or any copy or adaptation in violation of any applicable 
laws or regulations. 

U.S. Government Restricted Rights. The Software and any 
accompanying documentation have been developed entirely at 
private expense. They are delivered and licensed as "commercial 
computer software" as defined in DFARS 252.227-7013 (Oct 1988), 
DFARS 252.211-7015 (May 1991) or DFARS 252.227-7014 (Jun 
1995), as a "commercial item" as defined in FAR 2.101(a), or as 
"Restricted computer software" as defined in FAR 52.227-19 (Jun 
1987)(or any equivalent agency regulation or contract clause), 
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whichever is applicable. You have only those rights provided for 
such Software and any accompanying documentation by the 
applicable FAR or DFARS clause or the HP standard software 
agreement for the product involved. 
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Glossary 



This section defines terms and acronyms used throughout the HP 

Traffic Director Server Appliances User Guide. 

Certificate A digitally-signed token in an SSL-encrypted transaction containing 
information including the issuer (Certificate Authority that issued the 
certificate), the organization that owns the certificate, public key, the 
validity period for the certificate, and the hostname. 

Cipher Any encryption algorithm, either symmetric or public key, operating 
either as a data stream or divided into blocks. 



Client Authentication A means of requesting client certificate for the purpose of verifying 

identities 



Client CA See "Client Authentication" 



CRL Certificate Revocation List ~ a timestamped list identifying revoked 
certificates containing serial numbers 

DHCP Dynamic Host Configuration Protocol. This protocol allows servers 
to dynamically assign IP addresses to nodes (workstations) on the fly. 



DN 



Distinguished Name. Used when creating a signing request. 
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DNS 

Eligible Server 
Fulfillment Server 

Heartbeat 

HTTP 

HTTPS 
IP 

IP Address 
IP Service 

KB 
Key 

Key Strength 

Keypair 
LDAP 

Load Balancing 



Domain Name Server. A mechanism used in the Internet for 
translating the names of host machines into addresses. 

A server in a lower priority service's server pool. 

A server that stores content and runs applications to respond to user 
requests 

A signal acknowledging the existence/operation of SA8220. The 
heartbeat command enables the SA8220 to display a message on the 
console every heartbeat interval. 

Hypertext Transfer Protocol: the protocol used between a web 
browser and a server to request a document and transfer its contents. 

HTTP exchanged over an SSL-encrypted session 

Internet Protocol 

A unique identifier for a node on an IP network. Expressed in "dotted 
decimal" notation. For example: 10.0.0.1. 

A network-accessible, IP-accessible Application Protocol. For 
example: HTTP, FTP, and the like. For administration purposes, 
services are identified by Virtual IP:Port. 

Kilobytes, or thousands of bytes, of data 

A public key and private key pair used to encrypt/decrypt messages 

Length, in bits, of keys used in data encryption or authentication. For 
example: 56,128,512. 

Matching public and private keys 

Lightweight Directory Access Protocol ~ a protocol for accessing 
common directory information 

The distribution of processing and communications activity across a 
computer network so that no single device is overwhelmed. Load 
balancing is particularly important for networks on which it is 
difficult to predict the volume of requests likely to be issued to a 
server. Busy Web sites typically employ two or more Web servers in 
load balancing roles. 



MB Megabytes, or millions of bytes, of data 
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MIB Management Information Base. A repository of characteristics and 
parameters managed in a network device, such as a NIC, hub, switch, 
or router. 

MSAP Multi-Hop Source Address Preservation. MSAP allows requests to 
pass through two cascaded SA8220s in different geographical areas. 
Similar to SAP, but with geographic dispersal. See also SAP. 

NIC Network Interface Card. The attachment that connects a device to a 
network by executing the code needed by the connected device to 
share a cable or some other media with other workstations. 

NTP Network Time Protocol. A means of setting time among Internet 
hosts around the world. 

OPR Out of Path Return. The ability to establish a session or connection 
and then transfer the session to a fulfillment server. After the 
fulfillment server receives the original request, it responds directly to 
the client by a path other than the one established for the original 
connection. This method typically results in faster delivery of the 
requested content to the client. 

OSPF Open shortest path first 

Policy Rules used to effect changes in server resource apportionment 
according to conditions and thresholds established by a system 
administrator. 

Policy Group A set of services chosen and prioritized to automate network 
performance to support a specific business model. 

Port In the context of TCP/IP sessions, a unique protocol-specific handle. 

Priority Description of an IP service's place in the hierarchy of services within 
a Policy Group. 

Private Key The part of a key in a public key system that is kept secret and used 
only by its owner. It is used for decrypting messages and for making 
digital signatures. 

Public Key The part of a key in a public key system that is distributed widely, and 
is not kept secure. Used for encryption or for verifying signatures. 

RICH Real-time Intelligent Content Handling. Descriptive of the manner in 
which Commerce Director analyzes and allocates requests for IP 
services according to the type of content requested. 
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SAP 
Service 

Signing Request 

SNMP 
SSH 
SSL 

Target Response Time 
URI 



Source Address Preservation. A SA8220 option which, when 
enabled, allows server logs to reflect the true IP addresses of 
requesting clients. 

A service is an IP application paired with a port number. For 
example: "HTTP:80." This describes a service consisting of a 
server's HTTP application listening on port 80. Another example of a 
service: "FTP: 21." 

Required for a request for certificate authentication by a Certificate 
Authority. 

Simple Network Management Protocol 
Secure shell. 

Secure Socket Layer. Protocol developed by Netscape for encrypted 
transmission over TCP/IP networks, setting up a secure end-to-end 
link. 

A time (expressed in milliseconds) representing the ideal maximum 
time required to serve requests for that Service. 

Uniform Resource Indicator, derived from the HTTP Request-Line 
that identifies the resource on which to apply the request. The URI 
limit is 7,500 bytes on a GET request 



Verisign A well-known Certificate Authority. 
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Support for yourSA8220 

For hardware service and telephone support, contact: 

• An HP- authorized reseller 
or 

• HP Customer Support Center at 1-800-633-3600 



U.S. and 
Canada 
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For hardware service and telephone support, contact: 

• An HP- authorized reseller 
or 

• One of the following HP Customer Support Centers: 

Country and Number 

Austria - 0660 6386 

Belgium (Dutch) - 02 626 8806 

Belgium (French) - 02 626 8807 

Czech Republic - 420 2 613 07 310 

Denmark - 3929 4099 

English (non-UK) - +44 20 7512 5202 

Finland - 02 03 47 288 

France -01 43 62 3434 

Germany -0180 525 8143 

Greece -+30 (0) 16196411 

Hungary -36 1 382 1111 

Ireland -01 662 5525 

Israel - 972 9 952 4848 

Italy - 02 2 641 0350 

Netherlands - 020 6068751 

Norway -22 11 6299 

Poland - +48 22 8659800 

Portugal -21 317 6333 

Russia - 7095 797 3520 

South Africa RSA - 086 000 1030 

Outside RSA - +27 11 258 9301 
Spain - 902 321 123 
Sweden -08 619 2170 
Switzerland - 084 880 1111 
Turkey - 90 212 221 6969 
United Kingdom - 020 7512 5202 
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For hardware service and telephone support, contact an HP- 
authorized reseller or one of these support centers: 

Country and Number 

Australia - 03-8877-8000 

Hong Kong - 800-96-2598 

India -91-11-6826035 

Indonesia -0800-21511 

Japan -0120-220-119 

Korea -+82-2-32700911 

Malaysia - 60 3 2931811 or 1-800-881811 

New Zealand - 

Upper North Island - 09-356-6640 

Lower North Island - 04-499-2026 

South Island - 03-365-9805 
People's Republic of China - 86-8008105959 
Philippines -63 2 811-0643 
Singapore - +65-2725300 
Taiwan - +866-080-010055 / 886-2-7170055 
Thailand -66 2 6613891 
Vietnam - 

Hanoi - 84 4 9430101 

Ho Chi Minh City - 84 8 8324155 
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Latin America 



For hardware service and telephone support, contact an HP- 
authorized reseller or one of these support centers: 

Country and Number 

Argentina - (541) 4778-8380 
Brazil - 

Sao Paulo -(11) 3747-7799 

All Others -0800-15-77-51 
Chile - 800-360-9999 
Columbia - 9-800-91-9477 
Guatemala - 1-800-999-5305 
Mexico - 

Ciudad de Mexico - 5258-9922 

All Others - 800-472-6684 
Peru -0-800-10111 
Puerto Rico - 1-877-232-0589 
Venezuela - 

Caracas - 207-8488 

All Others - 800-47-777 



Other 
Countries 



For hardware service, contact your local authorized reseller or HP 
sales office. For telephone support, contact your authorized reseller. 
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Help 
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